Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups And Command Service


  • Please log in to reply
7 replies to this topic

#1 slither101

slither101

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 30 May 2006 - 04:25 PM

Hey.. I don't know what's going on with my computer, but it's having a lot of popups, and when I scan for spyware it finds something called command service... Anyways, here's my Log. Thanks in advance for the help.



Logfile of HijackThis v1.99.1
Scan saved at 2:23:02 PM, on 5/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\F?nts\n?pdb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa\Desktop\stng260.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B377359-CCEB-EC47-B929-EFABBF3DB5E9} - C:\WINDOWS\System32\fxfjeris.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [objpws] C:\WINDOWS\System32\objpws.exe
O4 - HKCU\..\Run: [Erah] "C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe" -vt mt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wpnotify.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:35 AM

Posted 31 May 2006 - 06:49 PM

Hello slither101,

Welcome to Bleeping Computer :thumbsup:

Look in your control panel's add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar.Click on it and then click remove.

Reboot and if found, delete this folder:

C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe
http://www.outerinfo.com/howto.html
Tutorial for the uninstaller if needed

Reboot when done and if found, delete this folder:

C:\Program Files\PurityScan

In your reply I need to see a HijackThis log made in normal mode with everything enabled at startup, please. I can't get everything if I can't see it.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 slither101

slither101
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 01 June 2006 - 10:30 AM

thanks for replying, and here is my hijackthis log without doing anything at startup (aside from closing the 8 popups :-/)

I tried to run that uninstaller, but the link to get it said "You are not authorized to view this page," but I didn't find that folder in my C: drive. Anyways, here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 10:28:00 AM, on 6/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\objpws.exe
C:\WINDOWS\System32\objpws.exe
C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\F?nts\n?pdb.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B377359-CCEB-EC47-B929-EFABBF3DB5E9} - C:\WINDOWS\System32\fxfjeris.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [objpws] C:\WINDOWS\System32\objpws.exe
O4 - HKCU\..\Run: [Erah] "C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe" -vt mt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [objpws] C:\WINDOWS\System32\objpws.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wpnotify.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



thanks again

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:35 AM

Posted 01 June 2006 - 02:15 PM

Hello again,

We'll try that again later. I rechecked the link, and it's all right. It just might be due to the malware present here. You're log is really a mess. :thumbsup: I'm bringing out the big guns right off, so be as exact as can be with the directions. :flowers:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\System32\fxfjeris.dll
C:\WINDOWS\System32\objpws.exe
%Windir%\System32\askearth17.exe
%Windir%\System32\ei.exe
%Windir%\System32\filgmo.exe
%Windir%\system32\inicfg32.dll
%Windir%\System32\pruttct.exe
%Windir%\System32\prutpct.exe
%Windir%\System32\prutsct.exe
%Windir%\System32\ptech.exe
%Windir%\System32\skytown.exe
%ProgramFiles%\data19
%Windir%\pi1.exe
%UserProfile%\Desktop\askearth17.exe
%UserProfile%\Desktop\ei.exe
%UserProfile%\Desktop\filgmo.exe
%UserProfile%\Desktop\prutpct.exe
%UserProfile%\Desktop\prutsct.exe
%UserProfile%\Desktop\ptech.exe
%UserProfile%\Desktop\skytown.exe
%UserProfile%\Local Settings\Temp\ei.exe

Folders to delete:
C:\PROGRAM FILES\E2G
C:\PROGRAM FILES\Windows AdStatus

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry keys to delete:
HKLM\software\e2g
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Let me know how your computer is running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 slither101

slither101
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 02 June 2006 - 04:03 PM

Sorry it took me so long, I had some football practices to go to. Thanks for replying again, and here's the logfiles you asked for.


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\htcwdcpw

*******************

Script file located at: \??\C:\WINDOWS\System32\dxmocggx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\fxfjeris.dll deleted successfully.
File C:\WINDOWS\System32\objpws.exe deleted successfully.


File C:\WINDOWS\System32\askearth17.exe not found!
Deletion of file C:\WINDOWS\System32\askearth17.exe failed!

Could not process line:
C:\WINDOWS\System32\askearth17.exe
Status: 0xc0000034



File C:\WINDOWS\System32\ei.exe not found!
Deletion of file C:\WINDOWS\System32\ei.exe failed!

Could not process line:
C:\WINDOWS\System32\ei.exe
Status: 0xc0000034



File C:\WINDOWS\System32\filgmo.exe not found!
Deletion of file C:\WINDOWS\System32\filgmo.exe failed!

Could not process line:
C:\WINDOWS\System32\filgmo.exe
Status: 0xc0000034

File C:\WINDOWS\system32\inicfg32.dll deleted successfully.


File C:\WINDOWS\System32\pruttct.exe not found!
Deletion of file C:\WINDOWS\System32\pruttct.exe failed!

Could not process line:
C:\WINDOWS\System32\pruttct.exe
Status: 0xc0000034



File C:\WINDOWS\System32\prutpct.exe not found!
Deletion of file C:\WINDOWS\System32\prutpct.exe failed!

Could not process line:
C:\WINDOWS\System32\prutpct.exe
Status: 0xc0000034



File C:\WINDOWS\System32\prutsct.exe not found!
Deletion of file C:\WINDOWS\System32\prutsct.exe failed!

Could not process line:
C:\WINDOWS\System32\prutsct.exe
Status: 0xc0000034



File C:\WINDOWS\System32\ptech.exe not found!
Deletion of file C:\WINDOWS\System32\ptech.exe failed!

Could not process line:
C:\WINDOWS\System32\ptech.exe
Status: 0xc0000034



File C:\WINDOWS\System32\skytown.exe not found!
Deletion of file C:\WINDOWS\System32\skytown.exe failed!

Could not process line:
C:\WINDOWS\System32\skytown.exe
Status: 0xc0000034



File C:\Program Files\data19 not found!
Deletion of file C:\Program Files\data19 failed!

Could not process line:
C:\Program Files\data19
Status: 0xc0000034



File C:\WINDOWS\pi1.exe not found!
Deletion of file C:\WINDOWS\pi1.exe failed!

Could not process line:
C:\WINDOWS\pi1.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\askearth17.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\askearth17.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\askearth17.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\ei.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\ei.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\ei.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\filgmo.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\filgmo.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\filgmo.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\prutpct.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\prutpct.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\prutpct.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\prutsct.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\prutsct.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\prutsct.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\ptech.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\ptech.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\ptech.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Desktop\skytown.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Desktop\skytown.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Desktop\skytown.exe
Status: 0xc0000034



File C:\Documents and Settings\Lisa\Local Settings\Temp\ei.exe not found!
Deletion of file C:\Documents and Settings\Lisa\Local Settings\Temp\ei.exe failed!

Could not process line:
C:\Documents and Settings\Lisa\Local Settings\Temp\ei.exe
Status: 0xc0000034

Folder C:\PROGRAM FILES\E2G deleted successfully.


Folder C:\PROGRAM FILES\Windows AdStatus not found!
Deletion of folder C:\PROGRAM FILES\Windows AdStatus failed!

Could not process line:
C:\PROGRAM FILES\Windows AdStatus
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\software\e2g deleted successfully.
Registry key HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.






Logfile of HijackThis v1.99.1
Scan saved at 4:00:41 PM, on 6/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Save\Save.exe
C:\Documents and Settings\Lisa\Application Data\?icrosoft\w?nword.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Windows\wWinUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B377359-CCEB-EC47-B929-EFABBF3DB5E9} - C:\WINDOWS\System32\fxfjeris.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [objpws] C:\WINDOWS\System32\objpws.exe
O4 - HKCU\..\Run: [Erah] "C:\DOCUME~1\Lisa\MYDOCU~1\SSTEM~1\msconfig.exe" -vt mt
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [Imq] C:\Documents and Settings\Lisa\Application Data\?icrosoft\w?nword.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wpnotify.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



there you go.. thanks for looking at this for me. i appreciate it.

-Josh

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:35 AM

Posted 02 June 2006 - 06:51 PM

Hello again,

That's okay. :thumbsup:

I notice that you do not seem to be running Antivirus software or a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them!!

AVG, Avira OR Avast are good FREE antivirus.Some good free firewalls are ZoneAlarm, or Outpost
A tutorial on understanding and using firewalls may be found here.
Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

When you've done this, run a full system scan, if you can. Also try the directions again in my first post and see if we can uninstall Purity Scan. We have a lot more to do, but you're doing fine so far!

In your reply, let me know how your computer is running, and post a new HijackThis log please. :flowers:

Thanks
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 slither101

slither101
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:35 AM

Posted 03 June 2006 - 02:05 PM

hi again, and thanks for your patience.

i still can't click on any links that send me to a download.. but my other computer handles them fine, so i just downloaded them on there and sent them to this computer using aol. so now i've done the purity scan, and installed the avg anti-virus thing. sorry my computer is so messed up, but it's running a lot better now. not half as many popups.. i don't know if it's because of the zone alarm firewall or what.. but it's working :-). anyways, here's my hijackthis log file.. thanks again teacup :-P


Logfile of HijackThis v1.99.1
Scan saved at 2:02:19 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7B377359-CCEB-EC47-B929-EFABBF3DB5E9} - C:\WINDOWS\System32\fxfjeris.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [objpws] C:\WINDOWS\System32\objpws.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wpnotify.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



thanks in advance,
josh

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:35 AM

Posted 03 June 2006 - 04:33 PM

Josh! Hi there,

This is looking better!! Excellent job! :thumbsup: Ready for the next round? :flowers:

We need to uninstall these programs first to make it easier to get rid of leftovers later.
To do this : Click start > controlpanel > add/remove Programs and uninstall the following, if present :

WhenUSave or WhenU or Save

BearShare.....Josh, this may be how you got infected. I really recommend you uninstall it. Read here for better options http://www.spywareinfo.com/articles/p2p/

Use Cleanmgr to clean temporary files:

1. Click > start > run and type cleanmgr and click OK
2. Scan your system for files to remove.
3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
4. Click OK to remove those files.
5. Click Yes to confirm deletion.

Please download, install, update the free version of Ewido Anti Malware:
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. When you run ewido for the first time, you might get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful"), exit Ewido and boot into safe mode:

Restart your computer, and tap the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {7B377359-CCEB-EC47-B929-EFABBF3DB5E9} - C:\WINDOWS\System32\fxfjeris.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [objpws] C:\WINDOWS\System32\objpws.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\Lisa\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wpnotify.dll (file missing)


If you uninstalled, then check the following as well:

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause


Close all browser and other windows except for HijackThis!, and click "Fix Checked".

Next, delete the following folders/files (if they exist):

ALCXMNTR.EXE <----search for this one
C:\WINDOWS\System32\objpws.exe
C:\Program Files\Save <---this folder

And this folder, if you uninstalled:

C:\Program Files\BearShare

Now open Ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please restart normally, then paste the contents of the text file to this thread, along with a new HijackThis log. Also let me know how the computer is running. Able to click links yet? :huh:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users