Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE popping up ads and a new browser all the time.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE popping up ads and a new browser all the time.

Unread postby Ges » March 7th, 2007, 8:12 pm

I keep on getting annoying popup ads and also a completely new browser opens. This happens when I either type in new URLs or click on links.
I have ran SpyBot and ad-adware to noa avail. I have also got AVG installed but it has found nothing. Even while I am posting this I keep on getting interrupted!
I have followed your instructions before posting and here is my HijackThis log result.
I use Apache server and MySql for my web design pages - so as not to
confuse. Also I do not want IE Service Pack 2.

Logfile of HijackThis v1.99.1
Scan saved at 00:00:14, on 08/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-sea ... mpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O4 - HKCU\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



Any help would be greatly appreciated.
Thank you for your time.

Ges. :?:
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds
Advertisement
Register to Remove

Unread postby Shaba » March 8th, 2007, 4:06 am

Hi Ges

You don't have to install SP2 yet, but SP1a.

We can definitely help you, but first you need to help us. You are quite behind on your Windows Updates and Patches!!

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here to get WinXP SP1a: http://www.microsoft.com/downloads/details...&DisplayLang=en

Apply the update, reboot, then go to Windows Update and install all the Critical Updates (Note: Except for WinXP SP2)
Click here for Windows Update: http://www.windowsupdate.com/

After installing all the Patches and updates, reboot, then post a fresh Hijack This log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 9th, 2007, 5:05 am

Hi Shaba.
First let me aplogise for the delay in replying to you. I had to go to work yesterday morning and when I got home I was asked to go back to cover for someone.
Anyway, last night I followed your instructions exactly. Windows gave an error when trying to install SP1a ( giving error number 0x8024D00C ), but also with instructions as to resolving it. This I did and ( not sure what I had done! ), it began installing a tremendous amount of upgrades taking around 45 mins to complete. Then it re-booted the PC and I noticed a considerable increase in speed. However, the original problem still persisted. So I ran a FULL scan firstly with AVG which found 2 Trojan-Collect problems ( which it had'nt done before ). I then ran Spybot and it too now found a few minor things but a critical one called Smitfraud-C.Toolbar888 ( it had not found these before! ). And then to put the iceing on the cake I ran good old Ad-Aware SE Personal and lo & behold, it too found 3 critical problems.

The original problem appears now to have GONE AWAY. However, I am still concerned about the SP1a error and cannot tell for sure what Windows has actually done, so I post you a latest Hijackthis.log for your convenience.

Logfile of HijackThis v1.99.1
Scan saved at 06:10:01, on 09/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-sea ... mpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\System32\ddcyaba.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80CF12B4-3883-42E2-B820-0C5E5BA0D353} - C:\WINDOWS\System32\pmkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\ocshmkwj.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O4 - HKCU\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcyaba - C:\WINDOWS\SYSTEM32\ddcyaba.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



But please remember that the original problem has gone away and I can see a definate increase in speed etc.
Please may I express my total gratitude to you for your precious time and the efforts you go to in order to help other people. What would we do without you guys? Thank you so much

Regards,
Ges Scott.

PS I will ensure that Windows Updates are ALWAYS ON in future.
:D
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 9th, 2007, 5:26 am

Hi

Unfortunately I see no sp1 installed and you seem to have grabbed more nasties :(

First try to re-install sp1a.

If no success,visit here in order to validate your windows and post back results with a fresh HijackThis log , please :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 9th, 2007, 10:04 am

Hello again Shaba.

I have tried to install SP1a again but at the end I got an alert box saying 'Access Denied' and had to let windows replace what it had tried to do.
I then went to the validation site as instructed in your link and validated my copy of windows. This was ok ( the chassis stickker is still in place ). I bought this PC with windows already installed but also had a CD with it. I keep various important CD's such as that at my Fathers house and so had to telephone hime to answer the questions that Windows were asking. Everything checked out OK.
Here is the Hijackthis.log after I have done all this.

Logfile of HijackThis v1.99.1
Scan saved at 13:54:26, on 09/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-sea ... mpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\System32\ddcyaba.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80CF12B4-3883-42E2-B820-0C5E5BA0D353} - C:\WINDOWS\System32\pmkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\ocshmkwj.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O4 - HKCU\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ddcyaba - C:\WINDOWS\SYSTEM32\ddcyaba.dll
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



What are the 'nasties' that you refer to? Or would that be too difficult for me to understand?
Incidentally, the original problem has not re-appeared.

Regards,
Ges Scott.
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 9th, 2007, 12:51 pm

Hi

Well then your copy of windows is likely corrupted in some way.

You have vundo infection among others, let's get rid of it first:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 9th, 2007, 1:54 pm

Hi Shaba,

I've done as instructed and here are the results;

VundoFix.txt:
VundoFix V6.3.9

Checking Java version...

Sun Java not detected
Scan started at 19:16:50 25/02/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.12

Checking Java version...

Sun Java not detected
Scan started at 12:39:58 06/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\afqvoksq.dll
C:\WINDOWS\system32\arcsepqa.exe
C:\WINDOWS\system32\ddcyaba.dll
C:\WINDOWS\System32\gjkmp.bak1
C:\WINDOWS\System32\gjkmp.bak2
C:\WINDOWS\System32\gjkmp.ini
C:\WINDOWS\system32\hfbnnxoo.dll
C:\WINDOWS\system32\jtdbikfo.exe
C:\WINDOWS\system32\ooxnnbfh.ini
C:\WINDOWS\System32\pmkjg.dll
C:\WINDOWS\system32\qskovqfa.ini

Beginning removal...

VundoFix V6.3.12

Checking Java version...

Sun Java not detected
Scan started at 17:22:01 09/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\afqvoksq.dll
C:\WINDOWS\system32\arcsepqa.exe
C:\WINDOWS\system32\ddcyaba.dll
C:\WINDOWS\System32\gjkmp.bak1
C:\WINDOWS\System32\gjkmp.bak2
C:\WINDOWS\System32\gjkmp.ini
C:\WINDOWS\System32\gjkmp.tmp
C:\WINDOWS\system32\hfbnnxoo.dll
C:\WINDOWS\system32\jtdbikfo.exe
C:\WINDOWS\system32\luwfarqb.exe
C:\WINDOWS\system32\ooxnnbfh.ini
C:\WINDOWS\System32\pmkjg.dll
C:\WINDOWS\system32\qskovqfa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\afqvoksq.dll
C:\WINDOWS\system32\afqvoksq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\arcsepqa.exe
C:\WINDOWS\system32\arcsepqa.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcyaba.dll
C:\WINDOWS\system32\ddcyaba.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\gjkmp.bak1
C:\WINDOWS\System32\gjkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\gjkmp.bak2
C:\WINDOWS\System32\gjkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\gjkmp.ini
C:\WINDOWS\System32\gjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\gjkmp.tmp
C:\WINDOWS\System32\gjkmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\hfbnnxoo.dll
C:\WINDOWS\system32\hfbnnxoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jtdbikfo.exe
C:\WINDOWS\system32\jtdbikfo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\luwfarqb.exe
C:\WINDOWS\system32\luwfarqb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ooxnnbfh.ini
C:\WINDOWS\system32\ooxnnbfh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qskovqfa.ini
C:\WINDOWS\system32\qskovqfa.ini Has been deleted!

Performing Repairs to the registry.
Done!

And the new Hikacjthis.log:
Logfile of HijackThis v1.99.1
Scan saved at 17:49:56, on 09/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-sea ... mpl1&find=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\System32\ddcyaba.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80CF12B4-3883-42E2-B820-0C5E5BA0D353} - C:\WINDOWS\System32\pmkjg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\ocshmkwj.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O4 - HKCU\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: cpuidle - Unknown owner - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\CPUIDLE\srvany.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE





Thank you.
Ges Scott.
:)
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 9th, 2007, 2:00 pm

Hi

Next please upload these files to VirusTotal and post back results here:

C:\WINDOWS\System32\nxfxqjtq.dll
c:\windows\iexplore\iexplore.exe
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 9th, 2007, 3:02 pm

Hi Shaba,

Here are the result for the DLL:

Antivirus Version Update Result
AntiVir 7.3.1.41 03.09.2007 ADSPY/Virtumonde.HB.1
Authentium 4.93.8 03.09.2007 no virus found
Avast 4.7.936.0 03.09.2007 no virus found
AVG 7.5.0.447 03.08.2007 Adware Generic.VSL
BitDefender 7.2 03.09.2007 no virus found
CAT-QuickHeal 9.00 03.09.2007 AdWare.Virtumonde.hb (Not a Virus)
ClamAV devel-20060426 03.09.2007 no virus found
DrWeb 4.33 03.09.2007 Trojan.Virtumod
eSafe 7.0.14.0 03.08.2007 no virus found
eTrust-Vet 30.6.3467 03.09.2007 Win32/Vundo!generic
Ewido 4.0 03.09.2007 no virus found
FileAdvisor 1 03.09.2007 no virus found
Fortinet 2.85.0.0 03.09.2007 suspicious
F-Prot 4.3.1.45 03.09.2007 no virus found
F-Secure 6.70.13030.0 03.09.2007 no virus found
Ikarus T3.1.1.3 03.09.2007 not-a-virus:AdWare.Win32.Virtumonde.hb
Kaspersky 4.0.2.24 03.09.2007 not-a-virus:AdWare.Win32.Virtumonde.hb
McAfee 4981 03.09.2007 no virus found
Microsoft 1.2204 03.09.2007 no virus found
NOD32v2 2105 03.09.2007 no virus found
Norman 5.80.02 03.09.2007 W32/Virtumonde.FGA
Panda 9.0.0.4 03.09.2007 Spyware/Virtumonde
Prevx1 V2 03.09.2007 no virus found
Sophos 4.15.0 03.09.2007 Virtumundo
Sunbelt 2.2.907.0 03.07.2007 no virus found
Symantec 10 03.09.2007 Trojan.Vundo
TheHacker 6.1.6.073 03.09.2007 Adware/Virtumonde.hb
UNA 1.83 03.07.2007 no virus found
VBA32 3.11.2 03.08.2007 no virus found
VirusBuster 4.3.19:9 03.09.2007 Adware.Virtumonde.BM

Aditional Information
File size: 123412 bytes
MD5: 3e5c3e21174b361e4b6d387e0e5521cb
SHA1



Results for the iexplore
Avast 4.7.936.0 03.09.2007 no virus found
AVG 7.5.0.447 03.08.2007 no virus found
BitDefender 7.2 03.09.2007 no virus found
CAT-QuickHeal 9.00 03.09.2007 no virus found
ClamAV devel-20060426 03.09.2007 no virus found
DrWeb 4.33 03.09.2007 no virus found
eSafe 7.0.14.0 03.08.2007 Win32.Agent.qd
eTrust-Vet 30.6.3467 03.09.2007 no virus found
Ewido 4.0 03.09.2007 Logger.Agent.qd
FileAdvisor 1 03.09.2007 no virus found
Fortinet 2.85.0.0 03.09.2007 W32/Dloader.FGL!tr
F-Prot 4.3.1.45 03.09.2007 W32/Pws.AVC
F-Secure 6.70.13030.0 03.09.2007 Trojan-Spy.Win32.Agent.qd
Ikarus T3.1.1.3 03.09.2007 no virus found
Kaspersky 4.0.2.24 03.09.2007 Trojan-Spy.Win32.Agent.qd
McAfee 4981 03.09.2007 no virus found
Microsoft 1.2204 03.09.2007 no virus found
NOD32v2 2105 03.09.2007 Win32/Spy.Agent.QD
Norman 5.80.02 03.09.2007 no virus found
Panda 9.0.0.4 03.09.2007 Trj/Downloader.MES
Prevx1 V2 03.09.2007 no virus found
Sophos 4.15.0 03.09.2007 no virus found
Sunbelt 2.2.907.0 03.07.2007 Trojan.Win32.VB.aft
Symantec 10 03.09.2007 Infostealer
TheHacker 6.1.6.073 03.09.2007 no virus found
UNA 1.83 03.07.2007 no virus found
VBA32 3.11.2 03.08.2007 no virus found
VirusBuster 4.3.19:9 03.09.2007 Trojan.DL.Agent.FXM


Aditional Information
File size: 54272 bytes
MD5:


I'm not sure what I'm looking at but it appears terrible!
Thank you,
Ges Scott.
:)
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 9th, 2007, 3:13 pm

Hi

Both are viruses as I expected.

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hhttp://search.media-search.net/nph-sea ... mpl1&find=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1EB27C5E-3DF4-41E2-B51A-D80F812D561D} - C:\WINDOWS\System32\ddcyaba.dll (file missing)
O2 - BHO: (no name) - {80CF12B4-3883-42E2-B820-0C5E5BA0D353} - C:\WINDOWS\System32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\System32\ocshmkwj.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O4 - HKCU\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O20 - Winlogon Notify: pmkjg - C:\WINDOWS\System32\pmkjg.dll (file missing)
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)


Close all windows including browser and press fix checked.

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Delete these:

C:\WINDOWS\System32\v6.exe
c:\windows\iexplore\iexplore.exe (delete entire iexplore folder if there's nothing familiar to you).
C:\WINDOWS\System32\nxfxqjtq.dll

Empty Recycle Bin
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Please post:
  1. AVG Anti-Spyware log
  2. A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 10th, 2007, 2:17 pm

Hello Shaba,
Wow, that was interesting. i carried out your instructions. Here is the new Hijackthis.log;

Logfile of HijackThis v1.99.1
Scan saved at 18:07:48, on 10/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



I will post the AVG-ANTISPYWARE.LOG in the following post cos it's around 13kb.

Ges.
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Ges » March 10th, 2007, 2:22 pm

This is the log of avg-antispyware that I saved on the desktop.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:56:06 10/03/2007

+ Scan result:



HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj.1 -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\ZServDll.ZServDllObj -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\ZServDll.ZServDllObj.1 -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\IEagent -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\143 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\206 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\339 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\348 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\387 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\675 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\IEagent\757 -> Adware.ClearSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\urlcli.UrlCliObj -> Adware.ClientMan : Error during cleaning.
HKLM\SOFTWARE\Classes\urlcli.UrlCliObj.1 -> Adware.ClientMan : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\Wbho.Band -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\Wbho.Band.1 -> Adware.IEPlugin : Error during cleaning.
E:\System Volume Information\_restore{5BDDA976-E926-494B-A867-B947B3A516D5}\RP124\A0053971.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1043198755-3057704224-1007\Software\2nd -> Adware.SecondThought : Cleaned with backup (quarantined).
HKU\S-1-5-21-1602489464-1043198755-3057704224-1007\Software\2nd\Client -> Adware.SecondThought : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mobupd.exe -> Adware.WurldMedia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0334A434-6A8E-4615-AD08-CDD4380EAC9D}\RP595\A0515999.exe -> Logger.Agent.qd : Cleaned with backup (quarantined).
C:\Program Files\Evrsoft First Page 2006\Iscripts\Page Details\crazy-window.izs -> Not-A-Virus.BadJoke.JS.RJump : Cleaned with backup (quarantined).
C:\Program Files\Evrsoft\1st Page 2000\Iscripts\Page Details\crazy-window.izs -> Not-A-Virus.BadJoke.JS.RJump : Cleaned with backup (quarantined).
E:\Program Files\Evrsoft\1st Page 2000\IScripts\Page Details\crazy-window.izs -> Not-A-Virus.BadJoke.JS.RJump : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\8HIN09IV\.girlspark[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLMVCPAZ\top100[1].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLMVCPAZ\top[1].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLMVCPAZ\top[2].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9AB0HEB\top100[1].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Local Settings\Temp\Temporary Internet Files\Content.IE5\W9AB0HEB\top[1].htm -> Not-A-Virus.Exploit.JS.ActiveXComponent : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\My Documents\thing\home xp serials and cracks\Windows_XP_Home_Edition_build_2600_English.zip/Patch.exe/crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\My Documents\thing\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_PatcherV1.0.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\My Documents\thing\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_Patcher_Multilingual.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\home xp serials and cracks\Windows_XP_Home_Edition_build_2600_English.zip/Patch.exe/crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_PatcherV1.0.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Lisa Larvin\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_Patcher_Multilingual.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\My Documents\home xp serials and cracks\Windows_XP_Home_Edition_build_2600_English.zip/Patch.exe/crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\My Documents\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_PatcherV1.0.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\My Documents\home xp serials and cracks\Windows_XP_Professional_Home,_.NET_WPA_Patcher_Multilingual.zip/WPA_Patcher_Multilingual.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\Cookies\gerald scott@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Lisa Larvin\My Documents\thing\(app) windows xp KeyGens & Cracks & Appz\WinXP KeyGen.rar/XPKey.exe -> Trojan.Small.edz : Cleaned with backup (quarantined).
E:\Documents and Settings\Gerald Scott\My Documents\(app) windows xp KeyGens & Cracks & Appz\WinXP KeyGen.rar/XPKey.exe -> Trojan.Small.edz : Cleaned with backup (quarantined).


::Report end



Incidentally, when I re-booted after the scan ( to get out of safe mode ), windows gave an alert box saying;

Could not find module C:\WINDOWS\System32\nxfxqjtq.dll

which I believe you said was a problem.

Thank you,
Ges Scott.
:)
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 10th, 2007, 2:30 pm

Hi

That error message is a good sign :)

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ZServDll.ZServDllObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ZServDll.ZServDllObj.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\urlcli.UrlCliObj]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\urlcli.UrlCliObj.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1]

It should look like this -> Image

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [WindowsUpdate renew] c:\windows\iexplore\iexplore.exe -v 000030 -s http://windowsupdate.microsoft.com /renew
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\System32\v6.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\System32\nxfxqjtq.dll",setvm


Close all windows including browser and press fix checked.

Reboot in safe mode

Run another scan with avg anti-spyware

Reboot

Please post:

1. AVG Anti-Spyware log
2. A new HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Ges » March 10th, 2007, 6:12 pm

Hello Shaba,
Once again I've done as instructed. By the way, that alert box has gone now!

Here is the new Hijackthis.log;

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9452853420
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE



And here is the AVG-ANTISPY;

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:54:38 10/03/2007

+ Scan result:



HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\DLMaxDll.DLMaxDllObj.1 -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\ZServDll.ZServDllObj -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\ZServDll.ZServDllObj.1 -> Adware.BetterInternet : Error during cleaning.
HKLM\SOFTWARE\Classes\urlcli.UrlCliObj -> Adware.ClientMan : Error during cleaning.
HKLM\SOFTWARE\Classes\urlcli.UrlCliObj.1 -> Adware.ClientMan : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow.1 -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\Wbho.Band -> Adware.IEPlugin : Error during cleaning.
HKLM\SOFTWARE\Classes\Wbho.Band.1 -> Adware.IEPlugin : Error during cleaning.
C:\System Volume Information\_restore{0334A434-6A8E-4615-AD08-CDD4380EAC9D}\RP595\A0516027.exe -> Adware.WurldMedia : Cleaned with backup (quarantined).


::Report end



I notice the last log is much smaller now. Also there is quite a difference in overall speed ( positive ), of the PC.

Thank you,
Ges Scott.
:)
Ges
Active Member
 
Posts: 11
Joined: March 7th, 2007, 7:53 pm
Location: Leeds

Unread postby Shaba » March 11th, 2007, 6:01 am

Hi

(I assume that you have now a registry backup)

Go to

Start -> Run -> regedit -> ok

Find this:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes

Delete these subkeys (they should look like a folder, right-click, choose Delete):

DLMaxDll.DLMaxDllObj
DLMaxDll.DLMaxDllObj.1
ZServDll.ZServDllObj
ZServDll.ZServDllObj.1
urlcli.UrlCliObj
urlcli.UrlCliObj.1
IMIToolbar.BottomFrame
IMIToolbar.BottomFrame.1
IMIToolbar.LeftFrame
IMIToolbar.LeftFrame.1
IMIToolbar.PopupBrowser
IMIToolbar.PopupBrowser.1
MIToolbar.PopupWindow
IMIToolbar.PopupWindow.1
Wbho.Band
Wbho.Band.1

Do a registry scan with avg anti-spyware

Please post:

1. AVG Anti-Spyware log
2. A new HijackThis log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware