Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

strange mjr popup, project1.exe and others + hjt log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

strange mjr popup, project1.exe and others + hjt log

Unread postby Steve-0 » January 21st, 2006, 5:07 am

Hi, my name is Steven Anderson, I use Windows xp, browse almost exclusively with Firefox however there are younger family members (little sister etc.) using my pc daily and they use IE. They tend to download music, games, junk, email attachments and who knows what else.


I play store bought games and a lot of very old games through dosbox etc. I run Lightwave for when I do 3D modeling and that's basically it. If you need my system specs for whatever random reason let me know.

I recently was browsing with Firefox, when a strange popup entitled MJR appeared. It was blank. After a few seconds it went to some 404 screen, and said that Internet Explorer was trying to access something but timed out. I opened task manager and saw a strange project1.exe under my applications. I googled it and it turned out to be a trojan. I ran spybot and it found quite a few items, all of which I got rid of. I restarted my pc and saw a strange dos prompt box appear for about a second or two.

It flashed 5 or so filenames and disappeared. I opened my task manager and saw several strange tasks. One was entitled mjrr.exe, one was something like 834934.exe (which when I googled it was part of some "internet optimiser" which was plain as day spyware), some webhancer thing, and the same project1.exe.

I deleted mjrr.exe from my system folder, and from my prefetch folder, got rid of the 834934.exe with spybot, and the project1.exe has yet to return. This spooked me pretty bad and I would like any info on steps I should take to ensure I'm back to normal. I say this because my hijack log still lists mirar search (related to the project1.exe) as a trusted zone, and because it still shows the whole webhancer thing.


I'll also post my hijack this log in a minute.
Steve-0
Active Member
 
Posts: 7
Joined: January 21st, 2006, 4:39 am
Top
Advertisement
Register to Remove

Unread postby Steve-0 » January 21st, 2006, 5:12 am

Logfile of HijackThis v1.99.1
Scan saved at 2:00:27 AM, on 1/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://developer.intel.com/design/motherbd/specials.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mswspl] ???
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [dnsodbc] C:\WINDOWS\msagent\dnsodbc.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Setup79.exe] C:\WINDOWS\System32\Setup79.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ZICORN] C:\WINDOWS\System32\ZICORN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\System32\winupd.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.line6.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O19 - User stylesheet: C:\WINDOWS\winstyle.css
O19 - User stylesheet: C:\WINDOWS\winstyle.css (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[/code][/quote]
Steve-0
Active Member
 
Posts: 7
Joined: January 21st, 2006, 4:39 am
Top

Unread postby VopThis » January 21st, 2006, 9:05 am

Download deldomains:
http://www.mvps.org/winhelp2002/DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford.
  • For SpywareBlaster, run the program and re-protect all items.
  • For IE/Spyads, run the batch file and reinstall the protection.



Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

There will be more to do after this.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Top

Unread postby Steve-0 » January 21st, 2006, 11:10 pm

Thanks for your help so far. I also have installed zone alarm and anti-virus. This is my brother's ex-gaming pc, and I don't think it's ever had a virus or spyware scan in it's history.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:01 PM, on 1/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://developer.intel.com/design/motherbd/specials.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\sysdll32.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\System32\winupd.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O19 - User stylesheet: C:\WINDOWS\winstyle.css
O19 - User stylesheet: C:\WINDOWS\winstyle.css (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Steve-0
Active Member
 
Posts: 7
Joined: January 21st, 2006, 4:39 am
Top

Unread postby VopThis » January 22nd, 2006, 2:02 am

Do you have your last EWIDO log results that you can post.

You appear to have disabled some running applications in MSCONFIG - it is not possible to fix resolvable items that can't be seen.



You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive. Name it HJT (or HijackThis) such as C:\Program Files\HJT, C:\HJT and move the HijackThis.exe file in it. Run HJT from there (and revise your shortcut accordingly).



HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here, if needed.

Scan unknown files for viruses/malware
Please go to this website and submit the following files (copy and paste each full file PATH) for possible Viruses/Trojans detection analysis and immediate feedback:
http://virusscan.jotti.org/

Submit these files (or use Start>Search to locate FULL File Path):

C:\WINDOWS\System32\winupd.exe
Let us know what the results were for the file(s).
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Top

Unread postby Steve-0 » January 23rd, 2006, 3:43 pm

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:34:20 PM, 1/21/2006
+ Report-Checksum: 734A835D

+ Scan result:

HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\SideFind -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\SideFind\History -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1957994488-413027322-1417001333-1003\Software\2nd -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-1957994488-413027322-1417001333-1003\Software\2nd\Client -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-1957994488-413027322-1417001333-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{000007AB-7059-463E-BD44-101A1750D732} -> Spyware.SideSearch : Cleaned with backup
C:\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\alchem.exe.q_2CFC05D_q -> Downloader.Alchemic : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\bvm202.dll.q_2CF644E_q -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\CSIE.DLL.q_FFC7E01_q -> Spyware.ClearSearch : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\erfmonp.exe.q_8041_q -> Downloader.Vb.ca : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\nem219.dll.q_2CF8700_q -> Downloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\SecTaskMan\sfbho13.dll.q_9C07801_q -> Spyware.SideFind : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Amanda's Account\Application Data\Mozilla\Firefox\Profiles\n4sd34ov.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@cartoonnetwork.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@reduxads.valuead[1].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@test.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@webpdp.gator[2].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@www.sidefind[2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
C:\Documents and Settings\Amanda's Account\Cookies\amanda's account@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mudbpitf.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\sysupd.exe -> Logger.Agent.l : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Del1.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Del1E.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Del3.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\exp.exe -> Downloader.Small.abd : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\fNuxpFD.exe -> Downloader.IstBar.fg : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\iinstall.exe -> Downloader.IstBar.nl : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mit6.tmp/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\mit6.tmp.cab/NNBar_VCSetup_876029.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\Patch281.exe -> Dropper.Agent.aa : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\sr.exe -> Dropper.Delf.dj : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\_update.dat -> Logger.Agent.h : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJMPWTQ9\Microsoft[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJMPWTQ9\nem220[1].dll -> Downloader.Dyfuca : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OHARO9MB\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OHARO9MB\mm63[1].ocx -> Spyware.MediaMotor : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OHARO9MB\optimize[1].exe -> Downloader.Dyfuca.EI : Cleaned with backup
C:\installer\id53.exe -> Trojan.SecondThought.l : Cleaned with backup
C:\Program Files\Common Files\auqtfrdp\anonaaqnac\sapmmotdu.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\auqtfrdp\rotnrnpt\fcpomnlm.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Internet Explorer\wvbflfwa.exe -> Backdoor.Jeemp.c : Cleaned with backup
C:\Program Files\over.exe -> Trojan.Revop.A : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Downloader.Small.Iq : Cleaned with backup
C:\Program Files\winupdates\winupdates.exe -> Worm.VB.an : Cleaned with backup
C:\s.tmp -> Worm.VB.an : Cleaned with backup
C:\Temp\KB887472-x86.exe -> Dropper.Agent.hl : Cleaned with backup
C:\WINDOWS\BvmUnst2.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\IEengine.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\IEengine.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\infamous.exe -> Logger.Briss.h : Cleaned with backup
C:\WINDOWS\msagent\dnsodbc.exe -> Logger.Agent.p : Cleaned with backup
C:\WINDOWS\nem220.dll_tobedeleted -> Downloader.Dyfuca : Cleaned with backup
C:\WINDOWS\pup.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\seli.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\system32\asphoner.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\bdcrk.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\bdkazk.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\c6opv.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\CS4P028.exe -> Downloader.Small.Go : Cleaned with backup
C:\WINDOWS\system32\gav.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\infamous_downloader.exe -> Downloader.Small.Iq : Cleaned with backup
C:\WINDOWS\system32\install2.exe -> Trojan.SecondThought.l : Cleaned with backup
C:\WINDOWS\system32\mandlgu.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\ngfiltp.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\OSUBSYSI.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\pnphostu.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\scpxl32m.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\silent.exe -> Spyware.WinFetcher.b : Cleaned with backup
C:\WINDOWS\system32\SREGN.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\svcr71m.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\to4svc6.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\ventclse.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\winrun.exe -> Downloader.Small.bnz : Cleaned with backup
C:\WINDOWS\system32\xmasfd.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\_10017c.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\system32\_1254c.exe -> Downloader.Vb.ca : Cleaned with backup
C:\WINDOWS\UnstSA2.exe -> Dropper.Delf.z : Cleaned with backup
C:\WINDOWS\update13.js -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\webhdll.dll_tobedeleted -> Spyware.WebHancer : Cleaned with backup
C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup


::Report End



You appear to have disabled some running applications in MSCONFIG - it is not possible to fix resolvable items that can't be seen.


I assume you meant that if these applications don't load on startup because I have them disabled, that they won't be detected by hijackthis or ewido. Let me know if I need to enable those and scan again.

I enabled hidden files, and I searched for the path to winupd.exe and it wasn't found at all. Niether does it appear in my system32 folder. I'm not sure why that is. The closest thing I could find is winudpmgr.exe.
Steve-0
Active Member
 
Posts: 7
Joined: January 21st, 2006, 4:39 am
Top

Unread postby VopThis » January 23rd, 2006, 5:52 pm

PLease disable Ewido as it may interfere with some of the following fixes.

C:\Documents and Settings\Owner\Desktop\hijackthis.exe

Please ensure that you are no longer running HijackThis from the desktop - otherwise all your fixes will litter your desktop. Your hijackThis location needs to be something like:
C:\Program Files\HJT\HijackThis.exe




Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat



We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huy-search.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.huy-search.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.huy-search.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [SYSTEM32.DLL] C:\WINDOWS\system\sysdll32.exe
O4 - HKCU\..\Run: [WINDOWS UPDATE] C:\WINDOWS\System32\winupd.exe
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
  • Temporary Internet Files
  • Downloaded Program Files
  • Recycle Bin
  • Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:
C:\WINDOWS\system\sysdll32.exe




POST A REVISED HIJACKTHIS LOG for review:
Enable all items hidden by MSCONFIG for purposes of your latest HJT log.

Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Top

Unread postby Steve-0 » January 26th, 2006, 1:49 am

I went into safemode and tried to run cleanmgr.exe. However every attempt to do so never gets past "compressing old files". It simply locks up at that point, even given long periods of time. I'll follow all other steps and post a new hjt shortly.


edit: Never mind I found a fix.
Steve-0
Active Member
 
Posts: 7
Joined: January 21st, 2006, 4:39 am
Top

Unread postby Nick-YF19 » February 7th, 2006, 10:46 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Top

Unread postby ChrisRLG » February 11th, 2006, 5:49 pm

Reopend on email request.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Top

Unread postby NonSuch » February 26th, 2006, 1:56 pm

This topic is now closed due to a lack of response from the topic originator after requesting that the topic be reopened.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index