Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Have A Bho


  • Please log in to reply
20 replies to this topic

#1 ydbc

ydbc

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 07 May 2007 - 01:47 PM

For the past few days I have had two recurring problems.

1. Whenever I am on line, about every five minutes a web page pops up over the page which I am viewing. This can happen whether I am using Firefox or IE. The rogue sites vary, but mostly it is a porno site edited out I can click on the X cancel without problem, but it is frustrating as well as having the pornographic content. I am on a dial up connection, and the same problem occurs on one of two ISPs. Sometimes my system "asks" me to dial when I am off line, and when I CANCEL, a message confirms that it was the above web site which was trying to connect.

2. At about the same time as the above problem, I found, and continue to find that I can connect to google.com or to .co.uk, but I cannot do a google search, always getting the following message. However, there is no problem with google.fr (we live in France). Interestingly, other people I know in France are having this same problem, and all started at about the same time.

Any ideas?

"Forbidden
Your client does not have permission to get URL /custom?q=freetelecom&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&hl=en&ie=ISO-8859-1&oe=ISO-8859-1&client=pub-7803381336700505&channel=3181435462&cof= from this server. (Client IP address:(Varying addresses are displayed here))

The website you've just visited has tried to provide you with search results from Google. Unfortunately, the site violates our terms of service so your search could not be completed. If you would like to continue with your search, please click the link below, which will take you directly to Google and the results you've requested. We apologize for the inconvenience and encourage you to conduct future searches directly from google.com or through the Google Toolbar, which can be downloaded for free from this address: http://toolbar.google.com.

Click here to continue your search on Google."

BC AdBot (Login to Remove)

 


m

#2 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 07 May 2007 - 01:54 PM

Sorry, I forgot to include my Hijackthis log file with my very recent query about a possible BHO and Google.

Logfile of HijackThis v1.99.1
Scan saved at 18:44:17, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\NILaunch.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ONSPEED\onspeedgui.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O3 - Toolbar: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174152419328
O17 - HKLM\System\CCS\Services\Tcpip\..\{B452D53D-5945-47C9-BA48-4C5C269FDA8B}: NameServer = 212.27.54.252 213.228.0.168
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#3 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 08 May 2007 - 09:38 AM

About every fifteen minutes, I get a site (usually porno) popping up over the site I am visiting. It doesn't overwrite my page, but opens a new tab. This happens on either of my dial up ISPs and whether I am using Firefox or IE. Does the following hijackthis log help?

There has been (in Europe anyway) a problem with ONSPEED which would forbid searches on google. com or google.co.uk. ONSPEED have fixed this problem today, but could that have been a contributory factor to the above problem, which started at about the same time?

Many thanks in advance from this Limey silver surfer.

Logfile of HijackThis v1.99.1
Scan saved at 18:44:17, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\NILaunch.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ONSPEED\onspeedgui.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O3 - Toolbar: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174152419328
O17 - HKLM\System\CCS\Services\Tcpip\..\{B452D53D-5945-47C9-BA48-4C5C269FDA8B}: NameServer = 212.27.54.252 213.228.0.168
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 08 May 2007 - 09:42 AM

I have just learned that the Google problem was an ONSPEED compatability problem which has been resolved by ONSPEED today. I have therefore re-submitted my other query separately.

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 12 May 2007 - 07:28 PM

Sorry for the delay :thumbsup:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Microsoft MVP Consumer Security--2007-2010

#6 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 16 May 2007 - 10:39 AM

Thank you for your reply.
I have followed your instructions to the letter and herewith is the Scan Log result. Does it tell you anything?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/16/2007 at 03:08 PM (Central European time)

Application Version : 3.7.1018

Core Rules Database Version : 3239
Trace Rules Database Version: 1250

Scan type : Complete Scan
Total Scan Time : 00:40:37

Memory items scanned : 382
Memory threats detected : 0
Registry items scanned : 4417
Registry threats detected : 0
File items scanned : 38739
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wjmikkajacq.stats.esomniture[1].txt
C:\Documents and Settings\Michael\Cookies\michael@msnportal.112.2o7[1].txt
C:\Documents and Settings\Michael\Cookies\michael@doubleclick[1].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6whlyupcjako.stats.esomniture[2].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wjlowkcpcaq.stats.esomniture[2].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6walowocpolq.stats.esomniture[1].txt
C:\Documents and Settings\Michael\Cookies\michael@serving-sys[1].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wjl4ugdzefo.stats.esomniture[2].txt
C:\Documents and Settings\Michael\Cookies\michael@tribalfusion[1].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wfmykpcpiho.stats.esomniture[1].txt
C:\Documents and Settings\Michael\Cookies\michael@e-2dj6wblyclazebp.stats.esomniture[1].txt
C:\Documents and Settings\Michael\Cookies\michael@questionmarket[1].txt
C:\Documents and Settings\Michael\Cookies\michael@bs.serving-sys[1].txt
C:\Documents and Settings\Michael\Cookies\michael@overture[2].txt

I note that I now have two desk top icons for SuperAntiSpyware. One looks like a traffic sign, with a red circle, and the other is a pale blue icon for SuperAntiSpyware(2). Which of those do I need? ... and is this program more efficient than Spybot Search and Destroy, which I have used up to now?

Again, very many thanks for your kind efforts to help.

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 16 May 2007 - 11:50 AM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads Save the text that will open (report.txt) to your desktop.

1) Go to Start > Control Panel >Network Connections. Right click your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on Properties.
* Make a note of the settings before you change them just in case you need to put them back how they were.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.

2) Go to Start > Run, enter CMD and click OK.
  • At the Dos Prompt Screen, type in cd\ and then press <ENTER>.
  • Now type in ipconfig /flushdns and then press <ENTER>. (notice the space after ipconfig)
  • Close the command prompt window.
In your next reply, please include a fresh Hijackthis log and report.txt. Thanks
Microsoft MVP Consumer Security--2007-2010

#8 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 17 May 2007 - 09:20 AM

Thanks for all that! I wish I understood it all. :thumbsup:

After the problem has been resolved, may I ask you a few further questions about the programs which you have advised me to download. Are they continually required on my system for example?

Following are the two TXT files you requested. Again, many thanks.

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl05a\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"eFax 4.2"="\"C:\\Program Files\\eFax Messenger 4.2\\J2GDllCmd.exe\" /R"
"Net-It Launcher"="C:\\WINDOWS\\system32\\NILaunch.exe"
"SlipStream"="\"C:\\Program Files\\ONSPEED\\onspeedcore.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"sfgosoxcg"="c:\\windows\\system32\\sfgosoxcg.exe sfgosoxcg"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Logfile of HijackThis v1.99.1
Scan saved at 16:08:30, on 17/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\NILaunch.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ONSPEED\onspeedgui.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O3 - Toolbar: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 27 May 2007 - 01:33 PM

I still have the same problem, but having just installed a free registry checker, it has reported that I have a trojan, Vundo.
Does that seem to be the possible cause - and how do I remove it?
many thanks in advance.

PS. After posting the above three lines, I found the section on this site about Vundo. I have downloaded and run Vundofix, but that program reports finding no infected file.
It may or may not be related, but when I have had the original problem, occasionally Zone Alarm advises that one of two programs is trying to access the Internet, and every time I have refused access. The two .exe files are mvqgtxjoa and hjvzivgy, neither of which I can find on my system. However, I note, via a Google search, that a user in France has had the first of these on a hijackthis report, listed as "Hidden process". Are these any connection with my problem?

Edited by ydbc, 27 May 2007 - 01:57 PM.


#10 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 27 May 2007 - 09:13 PM

Okay, those files are bad and should be blocked via ZoneAlarm. The program below is updated more often then Vundofix. Please run it and post the log. Thanks.

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#11 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 28 May 2007 - 02:21 PM

Thanks once again.

Before I paste the combifix log, two more observations.

1. I went off line to run Combifix, and even while off line, the rogue program kicked in and tried to load the porno site.

2. I have today purchased and downloaded SpyHunter. After installing it, I STILL have the same problem. Seems like an expensive purchase to me!

Anyway, here's the log, and many thanks in advance.

"Michael" - 2007-05-28 21:10:08 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Michael\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\hjyzrvgy.exe"
"C:\WINDOWS\system32\hjyzrvgy.dat"
"C:\WINDOWS\system32\hjyzrvgy_nav.dat"
"C:\WINDOWS\system32\hjyzrvgy_navps.dat"
"C:\WINDOWS\system32\nvs2.inf"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-27 20:40 <DIR> d-------- C:\VundoFix Backups
2007-05-27 19:59 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-21 14:30 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-05-21 14:29 88,365 -ra------ C:\WINDOWS\AGRSMMSG.exe
2007-05-21 14:29 68,096 -ra------ C:\WINDOWS\agrsmdel.exe
2007-05-21 14:29 2,410,076 -ra------ C:\WINDOWS\system32\drivers\AGRSM.sys
2007-05-19 16:24 0 --a------ C:\WINDOWS\mozver.dat
2007-05-17 15:57 5,957 --a------ C:\dnsbak.reg
2007-05-17 13:09 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2007-05-17 13:09 188,960 --a------ C:\WINDOWS\system32\WINGDE.DLL
2007-05-17 13:09 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2007-05-17 13:07 <DIR> d-------- C:\Program Files\French course
2007-05-17 13:05 299,520 --a------ C:\WINDOWS\uninst.exe
2007-05-16 14:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-16 14:13 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\SUPERAntiSpyware.com
2007-05-16 14:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-15 21:23 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-05-14 12:56 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-05-07 14:04 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\Ahead
2007-05-07 14:02 2,916,352 --------- C:\WINDOWS\UNNMP.exe
2007-05-07 14:02 <DIR> d-------- C:\Program Files\Common Files\LS
2007-05-07 14:01 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-05-07 14:00 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-05-07 13:59 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-05-07 13:59 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-05-07 13:59 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-05-07 13:59 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-05-07 13:59 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2007-05-07 13:59 2,977,792 --------- C:\WINDOWS\UNNeroVision.exe
2007-05-07 13:59 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-05-07 13:59 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-05-07 13:59 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-05-07 13:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-05-07 13:58 <DIR> d-------- C:\Program Files\Ahead
2007-05-05 19:44 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\FinalBurner Video DVD
2007-05-03 18:48 328,293 --a------ C:\WINDOWS\system32\zslmcsixmb.exe
2007-05-03 18:46 <DIR> d-------- C:\Program Files\SudoPlanet


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 19:09:41 -------- d-----w C:\DOCUME~1\Michael\APPLIC~1\SlipStream
2007-05-28 19:09:11 -------- d-----w C:\DOCUME~1\Michael\APPLIC~1\MailWasherPro
2007-05-28 09:32:24 -------- d-----w C:\Program Files\IrfanView
2007-05-27 17:17:30 -------- d-----w C:\Program Files\Brother's Keeper 6
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 20:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-12 11:55:11 -------- d-----w C:\DOCUME~1\Michael\APPLIC~1\OpenOffice.org2
2007-04-01 16:47:12 -------- d-----w C:\Program Files\Brother
2007-03-29 18:46:55 36,080 ----a-w C:\DOCUME~1\Michael\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-03-25 16:54:18 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-03-20 16:17:13 50 ----a-w C:\WINDOWS\system32\bridf05a.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 10:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 10:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-14 16:36:17 28,672 ----a-w C:\WINDOWS\system32\qttask.exe
2007-03-13 11:04:19 0 ----a-w C:\WINDOWS\nsreg.dat
2007-03-13 10:17:13 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-13 10:17:13 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-03-13 10:08:45 0 --sha-r C:\MSDOS.SYS
2007-03-13 10:08:45 0 --sha-r C:\IO.SYS
2007-03-13 10:08:45 0 ----a-w C:\CONFIG.SYS
2007-03-13 10:08:45 0 ----a-w C:\AUTOEXEC.BAT
2007-03-13 10:06:04 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{4115122B-85FF-4DD3-9515-F075BEDE5EB5}=C:\Program Files\ONSPEED\PBHelper.dll [2006-12-21 05:18]
{4E7BD74F-2B8D-469E-84BA-B830E8D4E122}=C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL [2006-12-21 04:53]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{9AA2F14F-E956-44B8-8694-A5B615CDF341}=C:\Program Files\ONSPEED\components\NOWImaging.dll [2006-12-21 05:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 12:57]
"Cmaudio"="cmicnfg.cpl" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 04:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 04:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 04:36]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45]
"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 19:02]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 18:42]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 22:36]
"Net-It Launcher"="C:\WINDOWS\system32\NILaunch.exe" [1998-02-05 21:16]
"SlipStream"="C:\Program Files\ONSPEED\onspeedcore.exe" [2006-12-21 05:18]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-01-08 14:29]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"AGRSMMSG"="AGRSMMSG.exe" []
"hjyzrvgy"="c:\windows\system32\hjyzrvgy.exe" []
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2007-04-26 16:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="shdocvw.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael^Start Menu^Programs^Startup^Lotus SmartSuite Release 9 Registration.lnk]
path=C:\Documents and Settings\Michael\Start Menu\Programs\Startup\Lotus SmartSuite Release 9 Registration.lnk
backup=C:\WINDOWS\pss\Lotus SmartSuite Release 9 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

*Newly Created Service* -PROCEXP90


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070513-195639-914
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174152419328

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????`????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070507-185337-711
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 21:11:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 21:11:55
C:\ComboFix-quarantined-files.txt ... 2007-05-28 21:11

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 28 May 2007 - 10:02 PM

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O4 - HKLM\..\Run: [hjyzrvgy] c:\windows\system32\hjyzrvgy.exe

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


About SpyHunter, i would try to get your money back. That is just my opinion. There are far far far better programs for much less. Please don't install anymore Anti-spyware programs unless i instruct you. Thanks.


Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

In your next reply, please include a fresh Hijackthis log and Panda Activescan log. Thanks.
Microsoft MVP Consumer Security--2007-2010

#13 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 29 May 2007 - 06:41 AM

OK. I have done that and removed the offending program. I had spotted it on the list which I last sent, but did not want to delete it before an expert had had a look. Since the other one (mvqgtxjoa) did not appear, maybe SpyHunter had found that one. However, taking your advice, I have emailed Spyhunter to ask for a refund in light of their not finding the other one.

I have only just come back on line, so will let you know in a few days if the pop up web sites have finally "gone away".

Thank you very much once again.

Michael.

#14 ydbc

ydbc
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 30 May 2007 - 07:00 AM

Well, keeping all fingers crossed, I have had no further web pages popping up.

Here is latest Hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 13:48:57, on 30/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\NILaunch.exe
C:\Program Files\ONSPEED\onspeedcore.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ONSPEED\onspeedgui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5405
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\ONSPEED\PBHelper.dll
O2 - BHO: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ONSPEED\components\NOWImaging.dll
O3 - Toolbar: ONSPEED Toolbar - {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - C:\PROGRA~1\ONSPEE~1\ONSPEE~1.DLL
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\system32\NILaunch.exe
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\ONSPEED\onspeedcore.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ONSPEED.lnk = C:\Program Files\ONSPEED\onspeedgui.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\ONSPEED\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\ONSPEED\gui_resource.dll/328
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B452D53D-5945-47C9-BA48-4C5C269FDA8B}: NameServer = 212.27.54.252 213.228.0.168
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I tried to download the other software, but when it reached the stage of downloading Active X (it didn't ask, by the way), the process stopped, followed by a Microsoft message about an Information Bar. I checked this out, to find what it meant, but no information bar had been displayed which, presumably, would have told me that Microsoft found the download suspect. So, I switched off the pop ups under Tools, but then the whole system locked and I had to shut down the computer!

I tried a second time, but with the same result. Tried again using Firefox, my default browser, but the download only recognises IE. So I have left that for the time being.

No response nor refund yet from SpyHunter.

If, as we all hope, my problem has gone away, how do I make a donation to bleeping computer?

Thanks once again.

#15 sjpritch25

sjpritch25

  • Security Colleague
  • 891 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:03:24 AM

Posted 30 May 2007 - 11:39 AM

Did you right-click on the information bar??? If not, right-click the information bar and choose install Activex Control and install it. You may get a warning from your Anti-Virus about one file from Panda Activescan, but its a false positive. Let me know if you still have problems. Thanks.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users