Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Zipzappromos.com + traffic.waypointcash.com

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Zipzappromos.com + traffic.waypointcash.com

Unread postby Thedys » May 7th, 2005, 6:38 am

Hi,
I am running Windows XP SP2 (Home Edition) + Internet Explorer 6.0 SP2. Pop-up windows started to appear quite recently each time I launch my browser. Most of the time it is a 'zipzappromos.com' window although I also get from time to time a 'traffic.waypointcash.com' one.
I have run the following according to your instructions:
1 - Spybot 1.3 + Ad-aware 6
2 - a2
3 - Norton Anti-Virus (installed on my computer) + House Call
4 - HijackThis 1.99.1, the log of which is included at the end of this post.
Please also note that I have performed the following, according to the instructions that have been given on the DELL Community Forum 'HijackThis':
1) Installed RegSeeker 1.35 & performed a search for the following:
- EGDACCESS_1058.dll
- EGDACCESS_1058_XP.cab
- Instant Access
I then deleted any entry referring these.
(I have also performed a global search on my PC and got rid of the EGDACCESS_1058.dll file.)
2) HijackThis > Open the Misc Tools section > Open hosts file manager
- clicked Open in Notepad
- added the following entries:
127.0.0.1 http://www.zipzappromos.com
127.0.0.1 zipzappromos.com
127.0.0.1 traffic.waypointcash.com
where each of them includes 7 spaces between '1' and the first letter
OK I am no techie but based on what is now happening ('zipzappromos' pop-ups now show a 'Cannot find server' page, I think my system now automatically redirects any such URL to my server and cannot find its content, right?). That is a first step but they still keep coming back, even in this 'new format'...
Finally I went to Internet Explorer > Tools > Internet Options > Sites, and added 'zipzappromos.com' and 'traffic.waypointcash.com' as forbidden sites. This didn't change anything.

Here is now my HijackThis log file content. Thanks in advance for your precious assistance!

Logfile of HijackThis v1.99.1
Scan saved at 12:37:05, on 07/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\DOCUMENTS AND SETTINGS\JOHO\MES DOCUMENTS\Z MES DOCUMENTS\qttask.exe
C:\Program Files\Larousse\Petit Larousse 2005\bin\HIPL2002Popup.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Colormailer\Photo Manager\MediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Implements Jammer - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: WebBar Class - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\mslagent\4b_1,0,1,1_mslagent.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Watch] C:\PROGRA~1\AvA\Watch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\DOCUMENTS AND SETTINGS\JOHO\MES DOCUMENTS\Z MES DOCUMENTS\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HyperappelPL] C:\Program Files\Larousse\Petit Larousse 2005\bin\HIPL2002Popup.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RevolteMediaDetector] C:\Program Files\Colormailer\Photo Manager\MediaDetector.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopupJammer] C:\Program Files\Advanced Searchbar\JAMMER.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Add to White List - C:\Program Files\Advanced Searchbar\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\Program Files\Advanced Searchbar\delfromlist.js
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.fr
O16 - DPF: A3Cab1 - http://www.globalcashsolutions.com/kithtml/A3Cab1.CAB
O16 - DPF: Interface Chat Wanadoo - http://chat7.x-echo.com/version6/Applet/wchatsign.cab
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/se ... r_cert.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/I ... _FR_XP.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Shared ... vSniff.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/I ... _FR_XP.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/L ... _FR_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19436147d7871620c5 ... 601_fr.cab
O16 - DPF: {5CA8D349-C6E7-11D4-8166-009027DF3BB2} (France Telecom MDDK ActiveX Control) - http://accueil.ava.serveur-ava.com/stki ... /mDKid.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplat ... curity.cab
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.com/speed/WebInstall.dll
O16 - DPF: {8B936702-C234-40D0-B69C-A2F669A33978} - http://akamai.downloadv3.com/binaries/L ... _FR_XP.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared ... /cabsa.cab
O16 - DPF: {DDF44FD9-749F-4761-89BB-E8A59339E459} - http://akamai.downloadv3.com/binaries/L ... _FR_XP.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/I ... _FR_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/I ... _FR_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D15C78C-D212-4925-84F6-0638120E287C}: NameServer = 80.10.246.134 80.10.246.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{4D15C78C-D212-4925-84F6-0638120E287C}: NameServer = 80.10.246.134 80.10.246.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
Thedys
Active Member
 
Posts: 3
Joined: May 6th, 2005, 9:05 am
Advertisement
Register to Remove

Unread postby 'KotaGuy » May 7th, 2005, 1:41 pm

Hi Thedys! Welcome to Malware Removal.

I'm 'KotaGuy, and I will be helping you with your HijackThis log.

Please download and install this disk cleanup utility called Cleanup! http://cleanup.stevengould.org/

It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space.
Here is a tutorial which describes its usage.

Run the disk cleanup utility and check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.

Reboot.

Download and run the List Installed Programs script from here: http://www.billsway.com/vbspage/

You will have to scroll down the page a bit to find the script. Run it and post the resulting log in a reply to this thread.

Thanks!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby Thedys » May 8th, 2005, 11:44 am

Hi 'Kotaguy:

THANKS A MILLION TIMES ;-)

Problem fixed! I have just spent about an hour browsing the Internet without any of these damned pop-up windows appearing every now and then.
Looks like your Cleanup! program was the key to my problem.
Anyway I am still attaching to this post the result of the VBS script I have run on my local system.

INSTALLED SOFTWARE (102) - ANDRE - 08/05/2005 16:48:57
a-squared Free 1.6 Ver: 1.6
Ad-aware 6 Personal Ver: 6.0.1.181 Personal
Adobe Acrobat - Reader 6.0.2 Update Ver: 6.0.2 Installed: 16/11/2004
Adobe Acrobat 5.0 Ver: 5.1
Adobe Download Manager 1.2 (Supprimer uniquement)
Adobe Photoshop Album 2.0 Ver: 2.0
Adobe Reader 6.0.1 - Français Ver: 006.000.001 Installed: 09/07/2004
Adobe Reader Multimedia Package Ver: 6.0.1 Installed: 12/07/2004
AvA Kiosque Micro
Bacchus
CC_ccProxyMSI Ver: 2.0.2.806 Installed: 03/09/2004
CC_ccStart Ver: 2.0.2.806 Installed: 03/09/2004
ccCommon Ver: 2.0.2.806 Installed: 03/09/2004
CleanUp!
Correctif Windows XP - KB834707 Ver: 20040929.110854
Correctif Windows XP - KB867282 Ver: 20050127.090417
Correctif Windows XP - KB873333 Ver: 20050114.005213
Correctif Windows XP - KB873339 Ver: 20041117.092459
Correctif Windows XP - KB885250 Ver: 20050118.202711
Correctif Windows XP - KB885835 Ver: 20041027.181713
Correctif Windows XP - KB885836 Ver: 20041028.173203
Correctif Windows XP - KB885884 Ver: 20040924.025457
Correctif Windows XP - KB886185 Ver: 20041021.090540
Correctif Windows XP - KB887472 Ver: 20041014.162858
Correctif Windows XP - KB887742 Ver: 20041103.095002
Correctif Windows XP - KB888113 Ver: 20041116.131036
Correctif Windows XP - KB888302 Ver: 20041207.111426
Correctif Windows XP - KB890047 Ver: 20041221.124506
Correctif Windows XP - KB890175 Ver: 20041201.233338
Correctif Windows XP - KB890859 Ver: 1
Correctif Windows XP - KB890923 Ver: 1
Correctif Windows XP - KB891781 Ver: 20050110.165439
Correctif Windows XP - KB893066 Ver: 1
Correctif Windows XP - KB893086 Ver: 1
Dell ResourceCD
Dell Solution Center Ver: 1.00.0000 Installed: 17/06/2003
E210
Easy CD Creator 5 Basic Ver: 5.3.4.21 Installed: 17/06/2003
Extension HighMAT pour l'Assistant Graver un CD de Microsoft Windows XP Ver: 1.1.1905.1 Installed: 28/06/2004
Extension Système de Microsoft Money Ver: 12.0.120 Installed: 02/01/2004
Fond d'écran du jour 1.0
Formation Microsoft Interactive
Google Toolbar for Internet Explorer
Happy Note! Clé de Sol et Clé de Fa
Help and Support Customization Ver: 1.00.0000 Installed: 17/06/2003
HijackThis 1.99.1 Ver: 1.99.1
Installation de Wanadoo
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet Ver: 6.05.2001 Installed: 17/06/2003
Jasc Paint Shop Photo Album Ver: 4.0.4 Installed: 06/11/2004
Jeux Classiques Ver: 2.0.0 Installed: 26/09/2004
Le Guide des Sites Francophones Ver: 1.0
Lettrines du Petit Larousse
LiveReg (Symantec Corporation) Ver: 2.4.1.2056
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Logitech Desktop Messenger
Logitech MouseWare 9.76
Logitech Resource Center
Macromedia Flash Player Ver: 7.0.14.0 Installed: 31/08/2004
Microsoft Data Access Components KB870669
Microsoft Money Ver: 12.0.120 Installed: 02/01/2004
Microsoft Office XP Media Content Ver: 10.0.2619.0 Installed: 17/06/2003
Microsoft Office XP Professional Ver: 10.0.6626.0 Installed: 04/01/2005
Microsoft Publisher 2002 Ver: 10.0.6626.0 Installed: 04/01/2005
MSRedist Ver: 1.0.0.0 Installed: 03/09/2004
Norton AntiSpam Ver: 2004.1.0.147 Installed: 03/09/2004
Norton AntiSpam Ver: 2004.1.0.147 Installed: 03/09/2004
Norton AntiVirus Ver: 10.00.00 Installed: 03/09/2004
Norton Internet Security Ver: 5.2.0.108 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security Ver: 7.0.0.177 Installed: 03/09/2004
Norton Internet Security (Symantec Corporation) Ver: 7.0.0.177
Norton WMI Update Ver: 2005.1.0.111 Installed: 14/10/2004
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
ozihnq
Paint Shop Pro 7 Ver: 7.06.0000 Installed: 17/06/2003
Petit Larousse 2005
Picture Package Ver: 1.00.000
Plug-in Echecs Messager
Plug-in TicTacToe Messager
QuickTime
RealOne Player
Shockwave Flash
Sony Photo Manager Ver: 1.0 Installed: 25/03/2005
Sony USB Driver
Sound Blaster Live!
Spybot - Search & Destroy 1.3 Ver: 1.3
Symantec Network Drivers Update Ver: 5.5.1.6 Installed: 05/05/2005
Symantec Script Blocking Installer Ver: 1.0.0 Installed: 03/09/2004
Timbres de France Ver: 3.0
Viewpoint Media Player
WebFldrs XP Ver: 9.50.6513 Installed: 18/09/2002
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows XP Service Pack 2 Ver: 20040819.151636
WinMX

Thanks again!
Thedys
Active Member
 
Posts: 3
Joined: May 6th, 2005, 9:05 am

Unread postby 'KotaGuy » May 8th, 2005, 1:33 pm

Thanks for posting the log... not quite done yet though :)

Download the "Registry Search Tool" (RegSrch.vbs) from here: http://www.billsway.com/vbspage/

Start it and paste in ozihnq, wait for it to finish(might take a few minutes), hit OK. A logfile should open up.

Post the resulting log in a reply to this thread please.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby Thedys » May 13th, 2005, 4:47 am

Hi 'KotaGuy! Sorry for the delay in getting back to you.
Once the script had completed, a first pop-up message appeared and showed the following:
"Search completed in 104 seconds. 1 instances of « ozihnq » found. Click OK to open Results in Word Pad"
I clicked OK and a window opened in WordPad with the following content:

REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string « ozihnqâ€
Thedys
Active Member
 
Posts: 3
Joined: May 6th, 2005, 9:05 am

Unread postby 'KotaGuy » May 13th, 2005, 5:13 am

Thanks for posting the log.

Step 1
Download and install Reglite It is an easy to use Registry editor and we will use it later on in the fix..

Please back up your registry, instructions here It is important to back up your registry before making any changes to it/

Step 2
Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\ozihnq.exe


Check the box to delete on reboot and click the red X to the right. Click OK, then Yes to reboot now.

Allow it to reboot.

While the computer is booting up, tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter'.


Step 3

Hmmm... don't see the usual entries from the search... gonna get you to double check them anyways.

Open RegLite and copy/paste the following string in the address window at the top then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right click the "ozihnq.exe"="c:\\windows\\system32\\ozihnq.exe -start" value in the right pane and delete.

Then copy/paste the following into the address window and click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ozihnq.exe

Right click the ozihnq.exe key in the left pane and delete.

Exit Reglite.


Step 4
Open C:\Windows\Prefetch, select all and delete. (This will cause your computer to boot-up slower for the first few boots. Please do not be alarmed.)

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\Every username\Local Settings\Temp\
Also delete your Temporary Internet Files (Start > Control Panel > Internet Options > Delete Files), be sure to also select delete all offline content.
Empty the Recycle Bin.


Step 5
Reboot normally and run at least two of the following online virus scans making sure to reboot in between each one. Allow them to fix anything they find.

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Bitdefender
Command on Demand

Write down anything that can not be fixed.

Scan with HijackThis and post the new log as a reply to this thread. Include anything that can not be fixed by the online scans. Let me know if the popups stop.

Please let me know of any complications and how the computer is behaving.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Unread postby ChrisRLG » June 1st, 2005, 4:04 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 382 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware