Free Malware Removal Forum

[daveyben]

my homepage has gone to http://www.iesecurepage.com its causing me major problems trying to get me to download products ive tried hijackthis,,,ccleaner,,,adware,,spybot search and destroy none have got rid of this i dont know where it came from and its a real pain could any1 help me please as im a bit of a novise on the pc many thanks

[Navigator]

Hello daveyben...welcome to Malware Removal!

Please do this:

Click here to download HJTsetup.exe.

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop
• By default it will install to C:\Program Files\Hijack This
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on Edit>Select All; then click on Edit>Copy to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

[daveyben]

this is my log file hope it helps ive tried alsorts to rid of my pc but please bare with me im not great on pc

Logfile of HijackThis v1.99.1
Scan saved at 23:44:32, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iVideoCodec\isamonitor.exe
C:\Program Files\iVideoCodec\isamini.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\iVideoCodec\isaddon.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0071E3F0-6D71-485F-AB39-A5D05681D272}: NameServer = 62.24.128.18 62.24.128.17
O17 - HKLM\System\CS2\Services\Tcpip\..\{0071E3F0-6D71-485F-AB39-A5D05681D272}: NameServer = 62.24.128.18 62.24.128.17
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TalkTalk Online Security (BackWeb Plug-in - 81720) - BackWeb Technologies Inc. - C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE

[Navigator]

Hey daveyben...you are doing great!
Please download SmitfraudFix (by S!Ri)
Alternate download site if the above link does not work: SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

[daveyben]

HI THANXS FOR THE HELP AGAIN I REALLY HOPE IVE DONE THIS RIGHT
,,,,,,,,,,,,,,,,,,

SmitFraudFix v2.119

Scan done at 10:29:36.99, 08/11/2006
Run from C:\Documents and Settings\Dave\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\okkmtv.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dave


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dave\Application Data

C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusBursters 6.2.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dave\FAVORI~1

C:\DOCUME~1\Dave\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\iVideoCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://hometown.aol.co.uk/xxkinkycouple/myhomepage/1alert.gif?mtbrand=AOL_UK"
"SubscribedURL"="http://hometown.aol.co.uk/xxkinkycouple/myhomepage/1alert.gif?mtbrand=AOL_UK"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}"="bonspells"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Navigator]

Youd did it right.....good job.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Post back with the C:\rapport.txt file and a new HJT log for me to review....

[daveyben]

this is the RAPPORT.TXT FILE I HOPE
,,,,,
SmitFraudFix v2.119

Scan done at 15:22:17.95, 08/11/2006
Run from C:\Documents and Settings\Dave\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896}"="bonspells"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\okkmtv.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\Documents and Settings\Dave\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusBursters 6.2.lnk Deleted
C:\DOCUME~1\Dave\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\iVideoCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[daveyben]

AND THIS IS THE NEW HJT LOG FOR YOU I HOPE ,,,,,,,,
,,,,,
Logfile of HijackThis v1.99.1
Scan saved at 16:18:23, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0071E3F0-6D71-485F-AB39-A5D05681D272}: NameServer = 62.24.252.135 62.24.252.134
O17 - HKLM\System\CS2\Services\Tcpip\..\{0071E3F0-6D71-485F-AB39-A5D05681D272}: NameServer = 62.24.252.135 62.24.252.134
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TalkTalk Online Security (BackWeb Plug-in - 81720) - BackWeb Technologies Inc. - C:\PROGRA~1\TALKTA~1\backweb\81720\Program\SERVIC~1.EXE

[Navigator]

Hey daveyben...that HJT log looks much better and appears 'clean'. Is your computer still having any problems?

I believe that you may have two AV programs running on your machine...the AVG and the f-secure (related to talk talk)? If this is indeed the case, having two AV programs running at the same time can negatively affect system performance.

Let's do an online scan to see if finds anything of significance:

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

[daveyben]

hi there it seems to av all gone your a bloody star thanxs very much,,,,,,
,,,i tried to run the panda programme but my pc keeps frezzing and its been a little slow latley like wen i go on web site the pages are just white sometimes not always ,,,,, also wen i start up my pc its taking a while too load up the windows logo at the start seems too take for ever and it never used to,,,anyway thanxs for getting the iesecurepages for me ,dave

[Navigator]

hi there it seems to av all gone your a bloody star thanxs very much,,,,,,
,,,i tried to run the panda programme but my pc keeps frezzing and its been a little slow latley like wen i go on web site the pages are just white sometimes not always ,,,,, also wen i start up my pc its taking a while too load up the windows logo at the start seems too take for ever and it never used to,,,anyway thanxs for getting the iesecurepages for me ,dave

You are welcome.

With regard to the 'slow' performance and 'slow' startup, as I stated previously...it appears that you have two anti-virus (AV) programs installed and running, and this may be the cause of, or contributing to, your problem.

Anti-Virus programs take up an enormous amount of your computer's resources when they are loading at boot up and actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time. You should either disable one of the AV programs from running at start up/running in the background or pick ONE AV program to keep and uninstall the other. I would fix this first before doing anything else regarding your system's performance.



I still think an online scan would be of benefit....since PandaScan seems to be having trouble completing try the f-secure online scanner:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Post back with the f-secure online scan results and let me know if fixing the multiple AV program problem helps with your 'slowness' problems.

[Nellie2]

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

The help you receive here is free but you can help support this site from this link if you wish:
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted