Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Project1

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby envirolawman » July 27th, 2006, 11:04 pm

. . . Check that . . . I cannot get anything but a short message to go through. My internet connection (high speed cable) usually flies, but now it won't competely load pages, and it won't send but a short message here. Will retry Fri a.m. (Fingers are crossed . . . )
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » July 27th, 2006, 11:07 pm

hmm...has this happened before? :shock:

if you're still having trouble tomorrow, perhaps you could transfer the logs to another computer and post them from there? (just a suggestion)

see you tomorrow.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby envirolawman » July 28th, 2006, 8:25 am

Logfile of HijackThis v1.99.1
Scan saved at 8:24:22 AM, on 7/28/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: (no name) - {9E61B8FD-5638-30E2-1871-5F10E82276C5} - C:\WINDOWS\SYSTEM\WZMXV.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://softdev.adelphia.net/sdccommon/d ... ctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm

Unread postby envirolawman » July 28th, 2006, 8:26 am

Incident Status Location

Adware:adware/purityscan Not disinfected C:\WINDOWS\TEMP\!update.exe
Adware:adware/commad Not disinfected C:\WINDOWS\TEMP\cmdinst.exe
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\SYSTEM\ts_mediamotor.exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\SYSTEM\icon_mediamotor.exe
Spyware:Spyware/LinkReplacer Not disinfected C:\WINDOWS\SYSTEM\zqskw.exe
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\COOKIES\anyuser@www.myaffiliateprogram[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\COOKIES\anyuser@cgi-bin[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\COOKIES\anyuser@ccbill[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\COOKIES\anyuser@ad.yieldmanager[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\WINDOWS\COOKIES\anyuser@kmpads[1].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\COOKIES\anyuser@yadro[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\COOKIES\anyuser@searchportal.information[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\COOKIES\anyuser@com[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\COOKIES\anyuser@gostats[3].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\COOKIES\anyuser@fastclick[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\COOKIES\anyuser@stats1.reliablestats[2].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\COOKIES\default@ct.360i[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\COOKIES\default@atwola[2].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\COOKIES\anyuser@media.fastclick[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\COOKIES\default@did-it[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\COOKIES\default@ccbill[1].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\COOKIES\default@toplist[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\COOKIES\default@adultfriendfinder[1].txt
Spyware:Cookie/Servlet Not disinfected C:\WINDOWS\COOKIES\anyuser@servlet[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\COOKIES\anyuser@gostats[2].txt
Spyware:Cookie/Seeq Not disinfected C:\WINDOWS\COOKIES\anyuser@www48.seeq[1].txt
Spyware:Cookie/Buydomains Not disinfected C:\WINDOWS\COOKIES\anyuser@www47.buydomains[1].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\COOKIES\anyuser@microsofteup.112.2o7[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\COOKIES\anyuser@www.myaffiliateprogram[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\COOKIES\anyuser@azjmp[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\COOKIES\anyuser@paypopup[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\WINDOWS\COOKIES\anyuser@entrepreneur[1].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\COOKIES\anyuser@did-it[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\COOKIES\anyuser@go[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\COOKIES\anyuser@atwola[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\COOKIES\anyuser@adultfriendfinder[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\COOKIES\anyuser@webpower[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\COOKIES\anyuser@www.burstbeacon[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\COOKIES\anyuser@adopt.hbmediapro[2].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\COOKIES\anyuser@ct.360i[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\COOKIES\anyuser@go[1].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\COOKIES\anyuser@webpower[1].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\COOKIES\anyuser@did-it[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\COOKIES\anyuser@cgi-bin[7].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\WINDOWS\COOKIES\anyuser@adultfriendfinder[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\COOKIES\anyuser@i.screensavers[2].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\COOKIES\anyuser@xiti[1].txt
Spyware:Cookie/nCase Not disinfected C:\WINDOWS\COOKIES\anyuser@banners.searchingbooth[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\COOKIES\anyuser@ct.360i[2].txt
Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\COOKIES\anyuser@toplist[4].txt
Spyware:Cookie/Outster Not disinfected C:\WINDOWS\COOKIES\anyuser@outster[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\COOKIES\anyuser@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\COOKIES\anyuser@ccbill[2].txt
Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\COOKIES\anyuser@anm.co[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\COOKIES\anyuser@searchportal.information[3].txt
Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\COOKIES\anyuser@c.goclick[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\COOKIES\anyuser@adopt.hbmediapro[3].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\COOKIES\anyuser@yadro[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\COOKIES\anyuser@cgi-bin[6].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\WINDOWS\COOKIES\anyuser@offeroptimizer[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\COOKIES\anyuser@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\COOKIES\anyuser@azjmp[3].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\COOKIES\anyuser@www.burstbeacon[3].txt
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\TEMP\1046002\ymdc.exe[²ÜÇ\System.dll]
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\TEMP\ICD3.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\TEMP\mmxsnet.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\TEMP\mc-110-12-0000103.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\TEMP\mit160.TMP[NNBar_VCSetup_876029.exe]
Adware:Adware/Mirar Not disinfected C:\WINDOWS\TEMP\mit160.TMP.cab[NNBar_VCSetup_876029.exe]
Spyware:Spyware/LinkReplacer Not disinfected C:\WINDOWS\TEMP\F3F1A3.TMP[zqskw.exe]
Adware:Adware/Mirar Not disinfected C:\WINDOWS\TEMP\NNBar_VCSetup_876029.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\TEMP\nsi81B5.TMP\nsProcess.dll
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\AF8BA94F\installerwnus[1].exe
Spyware:Spyware/Media-motor Not disinfected C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\FJXLPLDU\media_motor_bundle[1].exe
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD283.TMP
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD295.TMP
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD2D1.TMP
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD335.TMP
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD346.TMP
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD354.TMP
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD364.TMP
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD374.TMP
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD383.TMP
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD391.TMP
Spyware:Cookie/BurstNet Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD3A0.TMP
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE270.TMP
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE280.TMP
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE2A5.TMP
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE2C3.TMP
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE2D2.TMP
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE311.TMP
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE315.TMP
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE325.TMP
Spyware:Cookie/FortuneCity Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE335.TMP
Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE344.TMP
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE353.TMP
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE363.TMP
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE371.TMP
Spyware:Cookie/Hitslink Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE380.TMP
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE3A0.TMP
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE3B0.TMP
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF002.TMP
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF011.TMP
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF022.TMP
Spyware:Cookie/WUpd Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF033.TMP
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF041.TMP
Spyware:Cookie/SpyLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF050.TMP
Spyware:Cookie/onestat.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF054.TMP
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF063.TMP
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF075.TMP
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF084.TMP
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF092.TMP
Spyware:Cookie/Valueclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0A4.TMP
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0C0.TMP
Spyware:Cookie/Adserver Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0D3.TMP
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0E0.TMP
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0E5.TMP
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8120.TMP
Spyware:Spyware/Virtumonde Not disinfected C:\Recycled\Dc4\services.dll
Virus:Trj/Agent.CJE Disinfected C:\16663120234.exe
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\Update.exe
Adware:Adware/Qoologic Not disinfected C:\installerwnusnewer.exe
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm

Unread postby envirolawman » July 28th, 2006, 8:29 am

Internet seems fine this morning - maybe it was just a problem at the provider.
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm

Unread postby agrarianmonk » July 28th, 2006, 11:53 am

Please re-open HiJackThis and select Scan. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {9E61B8FD-5638-30E2-1871-5F10E82276C5} - C:\WINDOWS\SYSTEM\WZMXV.DLL (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.


Open Killbox:
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\TEMP\!update.exe
    C:\WINDOWS\TEMP\cmdinst.exe
    c:\windows\keyboard1.dat
    C:\WINDOWS\SYSTEM\ts_mediamotor.exe
    C:\WINDOWS\SYSTEM\icon_mediamotor.exe
    C:\WINDOWS\SYSTEM\zqskw.exe
    C:\WINDOWS\TEMP\1046002\ymdc.exe
    C:\WINDOWS\TEMP\ICD3.tmp\MediaTicketsInstaller.INF
    C:\WINDOWS\TEMP\mmxsnet.exe
    C:\WINDOWS\TEMP\mc-110-12-0000103.exe
    C:\WINDOWS\TEMP\mit160.TMP
    C:\WINDOWS\TEMP\F3F1A3.TMP
    C:\WINDOWS\TEMP\NNBar_VCSetup_876029.exe
    C:\WINDOWS\TEMP\nsi81B5.TMP\nsProcess.dll
    C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\AF8BA94F\installerwnus[1].exe
    C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\FJXLPLDU\media_motor_bundle[1].exe
    C:\WINDOWS\pf78.exe
    C:\Recycled\Dc4\services.dll
    C:\16663120234.exe
    C:\installerwnusnewer.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    NOTE: You must use the File menu--pasting by right-clicking the mouse will only enter one file.

  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

after reboot, please post:
  • new hijackthis log
  • a description of how your PC is behaving at the moment
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby envirolawman » July 28th, 2006, 1:17 pm

I found and deleted the entry in Hijack this as you instructed.

Kill this did not give any PendingRileRenameOperations prompts.

Today, sometimes when I log into the internet, in the bottom left is says it is "opening" the page I'm on, and it is very slow - this is what was happening yesterday when it was very slow and could only send brief replies on this page - it choked and sat still trying to send bigger replies, then said it couldn't find the page. This morning it let me get around a few times (that's when I sent you the requested logs), then slowed down again and kept trying to "open" the pages. Now, it is working fine, both the internet and the other programs I've tried to use, but I don't know if it will slow down again.

The Project1 item on my task bar is now gone!

The constant popups that started with project one seem to now be gone as well.

Below is the new Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 1:09:28 PM, on 7/28/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\UPDATEMGR.EXE" /NOCM
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://softdev.adelphia.net/sdccommon/d ... ctlins.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm

Unread postby agrarianmonk » July 28th, 2006, 1:23 pm

It doesn't appear that you internet problems are malware related.

This is my post for when your computer is all clean - which it currently appears to be. Please let me know if you are experiencing any other problems with your computer.

If you aren't having any more problems, we have just a couple of last steps to perform and then you're all set.

HIDE HIDDEN/SYSTEM FILES:

Windows ME
===============
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.


SYSTEM RESTORE RESET

To turn off System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Reboot your system.

To turn on System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then uncheck "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 2 free ones available for personal use:
To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!


(Please respond to this thread one more time so we can mark this thread as resolved.)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby envirolawman » July 28th, 2006, 9:09 pm

"Who was that masked Monk?"

I cannot tell you how much you have helped me. My computer is working correctly again, and now I have all the protections in place that you helped me with. I need this rig for work too!!!

This is the nicest thing anyone has done for me in recent memory. I do pro bono and discounted work at my job for people who need it when I can, and this time I really needed some serious pro help. If I hadn't discovered you, I would have had to go out and buy another machine I couldn't really afford right now, and in a hurry too.

And to boot (no pun intended!), this whole process was remarkable. I never would have believed something like this could even be done. I learned a great deal from you while you were helping me.

I can afford a small donation, which I'll make, but it's really nothing compared to what you've done. My hat is off to you.

Santo
envirolawman
Active Member
 
Posts: 14
Joined: July 26th, 2006, 12:42 pm

Unread postby NonSuch » July 28th, 2006, 10:51 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27211
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 34 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware