Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Malware And Adware Infection!homepage Hijacker!


  • This topic is locked This topic is locked
9 replies to this topic

#1 blackstallion

blackstallion

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 April 2006 - 02:19 PM

MY SYSTEM IS IN BAD SHAPE I FOLLOWED THE PREPARATION FOR HIJACKTHIS AND IT SEEMED TO HELP BUT I WANTED TO POST THE LOG JUST TO MAKE SURE THAT IT WAS GONE FOR GOOD. SO IF SOMEONE COULD LOOK IT OVER FOR MY I WOULD BE MOST THANKFUL!!!! ALSO COULD YOU RECOMMEND A ANTIVIRUS PROGRAM TO ME I'M WITH OUT ONE NOW?





Logfile of HijackThis v1.99.1
Scan saved at 3:12:38 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\COMMON~1\WinTools\WSup.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 2 for

HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.RussWhitney.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {9CF887C3-763F-C8F6-5A0D-FD3AEC35E6F5} - (no

file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F43F3C5C-3DA3-C41F-EC36-21F6CC5E38E1} - (no

file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

- C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL

(file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ipfq.exe] C:\WINDOWS\ipfq.exe
O4 - HKLM\..\Run: [ntcq.exe] C:\WINDOWS\ntcq.exe
O4 - HKLM\..\Run: [mfcyo.exe] C:\WINDOWS\system32\mfcyo.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -

{6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM

FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM

FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.RussWhitney.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/wuweb_site.cab?1135221199756
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/muweb_site.cab?1135221153850
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,

Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:03 AM

Posted 10 April 2006 - 06:28 PM

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here (without word wrap) together with the ewido log so that any remnants can be removed manually
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 blackstallion

blackstallion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 11 April 2006 - 08:49 AM

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:43:48 AM, 4/11/2006
+ Report-Checksum: 18685491

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{25624BFB-63BC-9D3A-463E-ECF159ED6A0C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinTools -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\kydmzylki -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\nlibjhin -> Adware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\WinTools\nlibx4m -> Adware.WebSearch : Cleaned with backup
HKU\S-1-5-21-842925246-1708537768-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CF887C3-763F-C8F6-5A0D-FD3AEC35E6F5} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-842925246-1708537768-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F43F3C5C-3DA3-C41F-EC36-21F6CC5E38E1} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-842925246-1708537768-1060284298-1003\Software\WinTools -> Adware.WebSearch : Cleaned with backup
HKU\S-1-5-21-842925246-1708537768-1060284298-1003\Software\WinTools\URLSearchHooks -> Adware.WebSearch : Cleaned with backup
[1192] C:\Program Files\Common Files\WinTools\WToolsA.exe -> Adware.Wintol : Cleaned with backup
[1236] C:\PROGRA~1\COMMON~1\WinTools\WSup.exe -> Adware.Wintol : Cleaned with backup
C:\FOUND.000\FILE1553.CHK -> Downloader.Dyfuca.bx : Cleaned with backup
C:\FOUND.000\FILE3813.CHK -> Downloader.IstBar.fr : Cleaned with backup
C:\WINDOWS\SYSTEM\mtwcnl32.dll -> Hijacker.StartPage.bs : Cleaned with backup
C:\WINDOWS\erdzil.dat -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\TEMP\~898136.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~903388.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~512168.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~512171.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~886425.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~484554.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~529420.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\TEMP\~529448.tmp -> Adware.Wintol : Cleaned with backup
C:\WINDOWS\qhmgps.dat -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bzigew.dat -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gxyovu.dat -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\uzvxxm.dat -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msreg.exe -> Logger.Small.i : Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Common Files\WinTools\WSup.exe -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~571969.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~578573.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~581170.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~602907.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~596545.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~600485.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~603279.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\~606931.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\hotfix.exe -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.res99[1].txt -> TrackingCookie.Res99 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@hotbabes.com.19522.fb.dbbsrv[2].txt -> TrackingCookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@1xxx.cqcounter[1].txt -> TrackingCookie.Cqcounter : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@1us.cqcounter[1].txt -> TrackingCookie.Cqcounter : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cz6.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.sexpositions.com.19249.fb.dbbsrv[2].txt -> TrackingCookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cz8.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@install.xxxtoolbar[1].txt -> TrackingCookie.Xxxtoolbar : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@programs.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cz3.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.sidefind[1].txt -> TrackingCookie.Sidefind : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@sec1.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@www.myaffiliateprogram[3].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.6:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\73bjv0ql.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.7:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\73bjv0ql.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.8:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\73bjv0ql.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.9:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\73bjv0ql.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\73bjv0ql.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP77\A0008021.dll -> Downloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP81\A0008178.dll -> Downloader.Dyfuca.cn : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP85\A0009188.dll -> Downloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP86\A0009306.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012499.exe -> Downloader.Zdesnado.h : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012500.exe -> Downloader.Zdesnado.h : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012501.exe -> Dialer.Kotu.c : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012502.exe -> Downloader.Delf.at : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012503.exe -> Hijacker.Agent.v : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012505.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012506.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012507.exe -> Hijacker.Agent.n : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012509.exe -> Trojan.Dialer.j : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012510.exe -> Trojan.Dialer.j : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012511.exe -> Dialer.Pormd : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012512.exe -> Dialer.Pormd : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP87\A0012528.exe -> Adware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP88\A0012725.exe -> Adware.Wintol : Cleaned with backup
C:\System Volume Information\_restore{0B620C07-DDDC-42A2-AFE0-6C89D4D3FC6F}\RP89\A0012762.exe -> Adware.Wintol : Cleaned with backup


::Report End






ogfile of HijackThis v1.99.1
Scan saved at 9:46:20 AM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 4 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.RussWhitney.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {9CF887C3-763F-C8F6-5A0D-FD3AEC35E6F5} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F43F3C5C-3DA3-C41F-EC36-21F6CC5E38E1} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ipfq.exe] C:\WINDOWS\ipfq.exe
O4 - HKLM\..\Run: [ntcq.exe] C:\WINDOWS\ntcq.exe
O4 - HKLM\..\Run: [mfcyo.exe] C:\WINDOWS\system32\mfcyo.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.RussWhitney.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135221199756
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135221153850
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:03 AM

Posted 11 April 2006 - 05:24 PM

You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this before anything else!

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {9CF887C3-763F-C8F6-5A0D-FD3AEC35E6F5} - (no file)
O2 - BHO: (no name) - {F43F3C5C-3DA3-C41F-EC36-21F6CC5E38E1} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL (file missing)
O4 - HKLM\..\Run: [ipfq.exe] C:\WINDOWS\ipfq.exe
O4 - HKLM\..\Run: [ntcq.exe] C:\WINDOWS\ntcq.exe
O4 - HKLM\..\Run: [mfcyo.exe] C:\WINDOWS\system32\mfcyo.exe


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\WINDOWS\ipfq.exe
C:\WINDOWS\ntcq.exe
C:\WINDOWS\system32\mfcyo.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 blackstallion

blackstallion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 18 April 2006 - 10:59 AM

Thanks you really helped me out!!! My system is working alot better thanks to you!!!!! :thumbsup:

Edited by blackstallion, 18 April 2006 - 11:02 AM.


#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:03 AM

Posted 18 April 2006 - 01:24 PM

Post that final log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 blackstallion

blackstallion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 20 April 2006 - 03:49 PM

sorry for the delay, Vacationing in florida but back home now.
I looked for the listed files in safe mode after I got rid of entries you had listed. I could not locate them at all I also ran a search and the files were no where on the computer. here is the final log i see some entries i deleted are still there!!



Logfile of HijackThis v1.99.1
Scan saved at 4:41:50 PM, on 4/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 6 for

HijackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.RussWhitney.com
O2 - BHO: (no name) - {9CF887C3-763F-C8F6-5A0D-FD3AEC35E6F5} - (no

file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F43F3C5C-3DA3-C41F-EC36-21F6CC5E38E1} - (no

file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -

{6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM

FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM

FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.RussWhitney.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/wuweb_site.cab?1135221199756
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdat...s/en/x86/client

/muweb_site.cab?1135221153850
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,

Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) -

America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:03 AM

Posted 20 April 2006 - 05:04 PM

Looks better - is it still running OK?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 blackstallion

blackstallion
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 21 April 2006 - 07:44 AM

Yes its still up and running fine, i have a question on my system i domt have any anti-virus protection on it, could you recommend some decent software at a resonable price if you dont mind. Thank you again for all your help with my system.

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:03 AM

Posted 22 April 2006 - 02:01 AM

You're welcome - glad to help :thumbsup:

There are recommendations in the article here (AVG is good and free):

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users