Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Some Sort Of Adware


  • This topic is locked This topic is locked
8 replies to this topic

#1 Zlipzlop

Zlipzlop

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 09 July 2006 - 05:28 AM

I'm not sure what else I can say to describe this infection. Different advertisements popping up whenever I'm browsing

Any help at all you can offer would be very much appreciated

thanks



Logfile of HijackThis v1.99.1
Scan saved at 8:19:16 PM, on 9/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe
C:\WINDOWS\?ppPatch\n?tepad.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
D:\Limewire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [bahylcr] C:\WINDOWS\bahylcr.exe
O4 - HKLM\..\Run: [Zwxjn] C:\Program Files\Xlhsqu\Bdlnf.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\qinljno.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Lsta] "C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe" -vt yazr
O4 - HKCU\..\Run: [Ozq] C:\WINDOWS\?ppPatch\n?tepad.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118305284412
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:43 PM

Posted 09 July 2006 - 08:20 AM

Hey Zlipzlop,

It is strange that there are no 02's or 020's in the log - a new infection is hiding these entries from a Hijackthis scan, so it means certain infections cannot be seen and are therefore hidden to the helper. Go to this folder where Hijackthis is kept and rename the hijackthis application to "analyse" by right clicking on the program and clicking "rename". Press enter, then open "analyse.exe" by double clicking and post a new Hijackthis log from the newly named application. Also, You are using LimeWire. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use "Add/Remove Program" to remove it and any reference to LimeWire.
This is another article: http://www.cexx.org/adware.htm

This utility "List Installed Programs" will provide a list of installed programs. It is found half way down the page. Click on the little arrow and then the download icon that is on the new window that opens up. You can download the script and run it from your hard disk or run it without downloading.
When asked to enter the PC details - leave it blank and click OK. Ask to view the results and copy the Notepad list. Paste it in a reply to this thread.

David

#3 Zlipzlop

Zlipzlop
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 10 July 2006 - 04:51 AM

Thank you David

I have uninstalled Limewire - I thought I had ages ago. The two logs are posted below.


INSTALLED SOFTWARE (143) - JJ - 10/07/2006 7:45:42 PM

KIDS BRAINBUSTER
101 Kid's Brainy Games Ver: 1.00.000
101 Puzzle & Logic Games Ver: 1.00.000
ABITEQ
Ad-Aware SE Personal Ver: 1.06
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 2.0 (Remove Only) Ver: 2.0
Adobe Illustrator 9.0 Ver: 9.0
Adobe PageMaker 6.5
Adobe Photoshop 6.0 Ver: 6.0
Adobe Premiere 6.0 Ver: 6.0
Adobe Reader 7.0.8 Ver: 7.0.8 Installed: 10/06/2006
AirPlus XtremeG Installed: 22/04/2006
AirPlus XtremeG Installed: 22/04/2006
ANIO Service
ANIWZCS2 Service
AutoUpdate Ver: 1.0
AVIcodec (remove only)
Cleaner 5 EZ
CleanUp!
ClickArt Web Site Workshop 1.0
Cowabanga by OIN
Creative Story Writer
DivX Ver: 5.2.1
e-tax 2004
e-tax 2004 - FTB Module
EA SPORTS online 2004
FIFA 2004
FlashMenu
GameArena The Arena
Google Toolbar for Internet Explorer
HijackThis 1.99.1 Ver: 1.99.1
Hot Wheels™ World Race™
ImageMixer VCD/DVD2 for OLYMPUS Ver: 2.01.050.1
Indeo® Software
iTunes Ver: 4.8.0.32 Installed: 14/06/2005
iTunes Ver: 4.8.0.32 Installed: 14/06/2005
J2SE Runtime Environment 5.0 Update 6 Ver: 1.5.0.60 Installed: 5/02/2006
Java 2 Runtime Environment, SE v1.4.2_05 Ver: 1.4.2_05 Installed: 9/11/2004
Kid's Literacy Quest
Kinetica 2000
LEGO Chess
LEGO Stunt Rally
LiveUpdate 1.7 (Symantec Corporation)
Logitech iTouch Software
Logitech MouseWare 9.79
Macromedia Dreamweaver MX Ver: 6.1
Macromedia Extension Manager Ver: 1.5
Macromedia Fireworks MX Ver: 6
Macromedia Flash MX Ver: 6
Macromedia Flash Player 8 Ver: 8
Macromedia FreeHand MX Ver: 11
Macromedia Shockwave Player Ver: 10.1.0.11
Microsoft Motocross Madness 2
Microsoft Office XP Professional with FrontPage Ver: 10.0.2627.01 Installed: 9/11/2004
Miniclip
MSN Messenger 7.5 Ver: 7.5.0324.0 Installed: 7/04/2006
Nero Ver: 5.5.8.3 Installed: 13/11/2005
NHRA Pro Stock Cars and Trucks
Norton AntiVirus Corporate Edition Ver: 7.6.1.0000 Installed: 21/06/2005
NVIDIA Drivers
OLYMPUS Master Ver: 1.10.2000 Installed: 21/06/2005
OLYMPUS Master Ver: 1.10.2000 Installed: 21/06/2005
PowerQuest PartitionMagic 7.0
progeCAD LT 2006 SP1
QuickTime
SATARaid
Security Update for Windows Media Player (KB911564) Installed: 16/02/2006
Security Update for Windows Media Player 10 (KB911565) Installed: 16/02/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 14/06/2006
Security Update for Windows XP (KB883939) Ver: 1 Installed: 20/06/2005
Security Update for Windows XP (KB890046) Ver: 1 Installed: 20/06/2005
Security Update for Windows XP (KB893066) Ver: 2 Installed: 20/06/2005
Security Update for Windows XP (KB893756) Ver: 1 Installed: 13/08/2005
Security Update for Windows XP (KB896358) Ver: 1 Installed: 20/06/2005
Security Update for Windows XP (KB896422) Ver: 1 Installed: 20/06/2005
Security Update for Windows XP (KB896423) Ver: 1 Installed: 13/08/2005
Security Update for Windows XP (KB896424) Ver: 1 Installed: 10/11/2005
Security Update for Windows XP (KB896428) Ver: 1 Installed: 20/06/2005
Security Update for Windows XP (KB896688) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB899587) Ver: 1 Installed: 13/08/2005
Security Update for Windows XP (KB899588) Ver: 1 Installed: 13/08/2005
Security Update for Windows XP (KB899589) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB899591) Ver: 1 Installed: 13/08/2005
Security Update for Windows XP (KB900725) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB901017) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB901214) Ver: 1 Installed: 14/07/2005
Security Update for Windows XP (KB902400) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB903235) Ver: 1 Installed: 14/07/2005
Security Update for Windows XP (KB904706) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB905414) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB905749) Ver: 1 Installed: 27/10/2005
Security Update for Windows XP (KB905915) Ver: 1 Installed: 14/12/2005
Security Update for Windows XP (KB908519) Ver: 1 Installed: 14/01/2006
Security Update for Windows XP (KB908531) Ver: 1 Installed: 22/04/2006
Security Update for Windows XP (KB911280) Ver: 1 Installed: 14/06/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 22/04/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 22/04/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 16/02/2006
Security Update for Windows XP (KB912812) Ver: 1 Installed: 22/04/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 6/01/2006
Security Update for Windows XP (KB913446) Ver: 1 Installed: 16/02/2006
Security Update for Windows XP (KB913580) Ver: 1 Installed: 10/05/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 14/06/2006
Security Update for Windows XP (KB916281) Ver: 1 Installed: 14/06/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 14/06/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 14/06/2006
Security Update for Windows XP (KB918439) Ver: 1 Installed: 14/06/2006
Shockwave Director 10.1.1
Spybot - Search & Destroy 1.4 Ver: 1.4
Symantec Ghost Ver: 70.01.0259 Installed: 9/11/2004
The Incredibles Ver: 1.00.0000 Installed: 29/11/2005
The Incredibles Demo Ver: 1.00.0000 Installed: 13/01/2005
Tiger Woods USA TOUR 2002
Update for Windows XP (KB894391) Ver: 1 Installed: 13/08/2005
Update for Windows XP (KB896727) Ver: 1 Installed: 13/08/2005
Update for Windows XP (KB898461) Ver: 1 Installed: 30/06/2005
Update for Windows XP (KB900485) Ver: 2 Installed: 27/04/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 14/12/2005
V8 Challenge
WebFldrs XP Ver: 9.50.5318 Installed: 8/11/2004
Windows Genuine Advantage Notifications (KB905474) Ver: 1.5.0532.0 Installed: 4/06/2006
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB885884 Ver: 20040924.025457
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB890859 Ver: 1 Installed: 20/06/2005
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Hotfix - KB893086 Ver: 1 Installed: 20/06/2005
Windows XP Service Pack 2 Ver: 20040803.231319
Yahoo! Toolbar
YazzleActiveX By OIN Ver: 1.0


Logfile of HijackThis v1.99.1
Scan saved at 7:41:51 PM, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe
C:\WINDOWS\?ppPatch\n?tepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CBCE9B73-E5A4-45B9-B1F7-37C4939C623F} - C:\WINDOWS\system32\pmkhg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [bahylcr] C:\WINDOWS\bahylcr.exe
O4 - HKLM\..\Run: [Zwxjn] C:\Program Files\Xlhsqu\Bdlnf.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\qinljno.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Lsta] "C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe" -vt yazr
O4 - HKCU\..\Run: [Ozq] C:\WINDOWS\?ppPatch\n?tepad.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118305284412
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winiro32 - winiro32.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:43 PM

Posted 10 July 2006 - 10:34 AM

Hey Zlipzlop,

Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Cowabanga by OIN
YazzleActiveX By OIN Ver: 1.0


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens,Click Scan for Vundo button.
  • Once the scan is complete,Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes
    • C:\WINDOWS\system32\pmkhg.dll
    • C:\WINDOWS\system32\ghkmp.*
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
David

#5 Zlipzlop

Zlipzlop
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 11 July 2006 - 04:17 AM

Thanks again, here are my logs

Logfile of HijackThis v1.99.1
Scan saved at 7:15:21 PM, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe
C:\WINDOWS\?ppPatch\n?tepad.exe
D:\Adobe\Reader\reader_sl.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {ACEE18E5-07DC-4541-9FFF-9299C7D497E5} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [bahylcr] C:\WINDOWS\bahylcr.exe
O4 - HKLM\..\Run: [Zwxjn] C:\Program Files\Xlhsqu\Bdlnf.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\qinljno.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Lsta] "C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe" -vt yazr
O4 - HKCU\..\Run: [Ozq] C:\WINDOWS\?ppPatch\n?tepad.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118305284412
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winiro32 - winiro32.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



VundoFix V4.2.34

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.6

Scan started at 10:30:06 AM 18/03/2006

Listing files found while scanning....


No infected files were found.


VundoFix V5.1.1

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.4.2.5

Java version is 1.5.0.6

Scan started at 6:48:14 PM 11/07/2006

Listing files found while scanning....

C:\windows\system32\pmkhg.dll
C:\windows\system32\ghkmp.ini
C:\windows\system32\ghkmp.bak2
C:\windows\system32\xxyxyay.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\pmkhg.dll
C:\windows\system32\pmkhg.dll Has been deleted!

Attempting to delete C:\windows\system32\ghkmp.ini
C:\windows\system32\ghkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\ghkmp.bak2
C:\windows\system32\ghkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\xxyxyay.dll
C:\windows\system32\xxyxyay.dll Has been deleted!

Performing Repairs to the registry.
Done!

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:43 PM

Posted 11 July 2006 - 11:08 AM

Hello there,

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. It is important that you complete the following instructions in the correct order, and also that you don't miss anything out!

* Please set your system to show hidden files; please see here if you're unsure how to do this.

* Please download Ewido anti-malware ; it is a 30 day trial version of the program.
  • Install ewido security suite
  • Ewido will automatically run at the end.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the top row of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the top will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet ExplorerMain,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {ACEE18E5-07DC-4541-9FFF-9299C7D497E5} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O4 - HKLM\..\Run: [bahylcr] C:\WINDOWS\bahylcr.exe
O4 - HKLM\..\Run: [Zwxjn] C:\Program Files\Xlhsqu\Bdlnf.exe
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\qinljno.exe
O4 - HKCU\..\Run: [Lsta] "C:\DOCUME~1\Julie\APPLIC~1\CROSOF~1.NET\dexplore.exe" -vt yazr
O4 - HKCU\..\Run: [Ozq] C:\WINDOWS\?ppPatch\n?tepad.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - AppInit_DLLs: C:\WINDOWS\system32\rundll32.dll
O20 - Winlogon Notify: winiro32 - winiro32.dll (file missing)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\rundll32.dll <--do not delete rundll32.exe!! (it's legit)!
C:\WINDOWS\bahylcr.exe
C:\Program Files\Xlhsqu <--folder
C:\WINDOWS\qinljno.exe
C:\WINDOWS\?ppPatch <-- The folder you are looking for does not actually have question marks in them when you see them in the folder, and will have a letter in place of them. Make sure you delete the legitmate folder as there may be two fodlers under the same name. The one you want to delete has the file "n?tepad.exe" inside

* Open Ewido anti-malware
Click on the scanner button in the top row.
  • Click Complete System Scan and the scan will begin.
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen.
  • Save the report to your desktop.
Close Ewido

* Please reboot back to normal mode and the ewido log you previously save to your desktop.
David

#7 Zlipzlop

Zlipzlop
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 12 July 2006 - 06:06 PM

I ran ewido twice because the first time I didn't save a report. After applying all actions the first time the report of the second scan is below. I hope i haven't stuffed up. There were other bits of adware that were picked up in the first scan and ewido seems to have removed them

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:54:21 AM 13/07/2006

+ Scan result:



HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Starware -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Starware\Options -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Starware\OriginalSearchAssistant -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Starware\OriginalURLSearchHooks -> Adware.Starware : No action taken.
HKU\S-1-5-21-448539723-1482476501-682003330-1007\Software\Starware\SearchAssistant -> Adware.Starware : No action taken.


::Report end

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:43 PM

Posted 15 July 2006 - 09:48 AM

Hey there,

It looks to me as though you didn't apply all actiuons on the second scan,
Those files found haven't been deleted yet, and they need to go.

No need for safe mode this time, just open Ewido anti-malware
Click on the scanner button in the top row.
  • Click Complete System Scan and the scan will begin.
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen.
  • Save the report to your desktop.
Close Ewido
Paste that log here.

David

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:43 PM

Posted 10 August 2006 - 05:25 AM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users