I can't get this spyware off my computer!!!

Comments

• Leonardo Wake up and smell the glaciers Eagle River, Alaska Icrontian

  February 2006 edited February 2006

  I moved your thread over here.
  
  One of our volunteers will assist as soon as they have the opportunity.

  0
• A7X311

  February 2006 edited February 2006

  thank you very much!

  0
• Trogan London, UK

  February 2006 edited February 2006

  Hi, Welcome to Short-Media
  
  You have a few things going on, so we will run some scans first, where you will have to reboot several times.
  
  Can you do the following:
  
  Remove the following from Add/Remove programs in Control Panel:
  

  • WinTools
    
  • RXResultTracker
  • Jalmp
  • webHancer

  
  =====
  

  • Download the PurityScan uninstaller..
    
  • Click on the link given and download the tool to your desktop.
    
  • Close ALL open browsers and programs
    
  • Open the file and follow the onscreen intructions

  =====
  
  Follow these instructions to confgure and run Ad-Aware
  
  1) Run Ad-Aware, and click Check for updates now.
  
  2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

  Click Proceed.
  3) To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next

  4) When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.

  =====
  
  Follow these instructions for SpyBot
  

  1. Open SpyBot
     
  2. In the Menu Bar at the top of the Spybot window you will see 'Mode'.
     Make certain that 'default mode' has a check mark beside it.
     
  3. Close ALL windows except Spybot S&D
     
  4. Click the button to ‘Search for Updates’ then download and install the updates.
     
  5. Next click the button ‘Check for Problems'
     
  6. When Spybot is complete, it will be showing ‘RED’ entries, bold 'BLACK' entries and ‘GREEN’ entries in the window
     
  7. Make certain there is a check mark beside all of the RED entries ONLY.
     
  8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
     
  9. REBOOT normally to complete the scan and clear memory.

  =====
  
  
  Please download the trial version of Ewido Security Suite here:
  http://www.ewido.net/en/download/
  When installing the program, under "Additonal Options" uncheck..

  • Install background guard
  • Install scan via context menu

  
  Once installed, update the definitions to the newest files. Do NOT run a scan yet.
  Next, please reboot your computer in Safe Mode by doing the following:
  1) Restart your computer
  2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3) Instead of Windows loading as normal, a menu should appear
  4) Select the first option, to run Windows in Safe Mode.
  
  For additional help in booting into Safe Mode, see the following site:
  http://www.pchell.com/support/safemode.shtml
  
  Once in Safe Mode, please run Ewido
  (Do not use the computer while Ewido is scanning)
  

  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop

  Close Ewido
  
  Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

  0
• A7X311

  February 2006 edited February 2006

  ok, i did everything you said to do, but i had a couple problems. first problem was that i couldn't find these (WinTools, RXResultTracker, Jalmp, webHancer) in my add/remove section of my control panel. so i didn't delete those. also this is my work computer and they don't know i have spyware on here and i don't want them to find out and this computer is running windows xp professional so when you log on you gotta have a password, and in safe mode only the administrator can log on. is there anyway around that? other than that i did everything else and i just ran an ewido scan in normal mode so here are my logs on both programs, ewido first....
  
  
  
  
  

  ---

  ewido anti-malware - Scan report

  ---

  
  + Created on: 3:07:06 PM, 2/22/2006
  + Report-Checksum: B2178BBE
  
  + Scan result:
  
  C:\Documents and Settings\jmorris\My Documents\finger.exe -> Not-A-Virus.BadJoke.Win32.Finger.b : Ignored
  C:\Documents and Settings\jmorris\My Documents\finger.zip/finger.exe -> Not-A-Virus.BadJoke.Win32.Finger.b : Ignored
  HKLM\SOFTWARE\Classes\CLSID\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
  HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
  HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
  HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
  HKU\S-1-5-21-343818398-1425521274-725345543-1170\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
  HKU\S-1-5-21-343818398-1425521274-725345543-1170\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
  HKU\S-1-5-21-343818398-1425521274-725345543-1170\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup
  HKU\S-1-5-21-343818398-1425521274-725345543-1170\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@com[2].txt -> TrackingCookie.Com : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@need2find[2].txt -> TrackingCookie.Need2find : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
  C:\Documents and Settings\jmorris\Cookies\jmorris@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
  C:\Downloads\Bej2Setup_TryGames-dm[1].exe -> Adware.Trymedia : Cleaned with backup
  C:\Downloads\FamilyFeudSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
  C:\Downloads\HangStanTriviaSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
  C:\Downloads\WordCollectionSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
  C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
  C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
  C:\WINDOWS\=NOI.exe/eee2.exe -> Adware.MediaMotor : Cleaned with backup
  C:\WINDOWS\Downloaded Program Files\CONFLICT.1\elite.ocx -> Adware.MediaMotor : Cleaned with backup
  C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
  C:\WINDOWS\htwfdr.exe -> Downloader.Small.bmx : Cleaned with backup
  C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
  C:\WINDOWS\msv.exe -> Adware.WinAD : Cleaned with backup
  C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
  C:\WINDOWS\svchost.exe -> Adware.WinAD : Cleaned with backup
  C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup
  C:\WINDOWS\system32\bobdncb.exe -> Downloader.Qoologic.ac : Cleaned with backup
  C:\WINDOWS\system32\jbjen.dll -> Downloader.Qoologic.ac : Cleaned with backup
  C:\WINDOWS\system32\pvpwa.dat -> Downloader.Qoologic.ac : Cleaned with backup
  C:\WINDOWS\system32\rjdsregq.exe -> Adware.ZenoSearch : Cleaned with backup
  C:\WINDOWS\system32\rwinksap.exe -> Adware.ZenoSearch : Cleaned with backup
  C:\WINDOWS\system32\wgse.exe -> Trojan.Runner.h : Cleaned with backup
  C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
  C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Adware.WebHancer : Cleaned with backup
  C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup
  C:\WINDOWS\ZIIMG001.exe -> Adware.ZenoSearch : Cleaned with backup
  
  
  ::Report End
  
  
  
  
  
  and.............
  
  
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 3:17:55 PM, on 2/22/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  C:\Program Files\iTunes\iTunesHelper.exe
  C:\WINDOWS\system32\rwinksai.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\iPod\bin\iPodService.exe
  C:\Program Files\AutoCAD 2005\acad.exe
  C:\DOCUME~1\jmorris\LOCALS~1\Temp\AdskCleanup.0001
  C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
  C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\HJT\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  R3 - Default URLSearchHook is missing
  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyuqe.dll
  O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
  O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
  O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
  O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
  O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
  O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinksai.exe IMG001
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
  O4 - HKCU\..\Run: [Lroo] "C:\Program Files\laah\pmac.exe" -vt yazb
  O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
  O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinksai.exe
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
  O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
  O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
  O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
  O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
  O15 - Trusted Zone: *.elitemediagroup.net
  O15 - Trusted Zone: http://click.getmirar.com (HKLM)
  O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
  O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
  O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
  O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
  O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fg.foresite.local
  O17 - HKLM\Software\..\Telephony: DomainName = fg.foresite.local
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fg.foresite.local
  O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
  O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
  O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
  O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  
  thank you so much for helping me. see if you can still see some stuff. thanks again!

  0
• Trogan London, UK

  February 2006 edited February 2006

  A7X311 wrote:

  ]...also this is my work computer and they don't know i have spyware on here and i don't want them to find out and this computer is running windows xp professional so when you log on you gotta have a password, and in safe mode only the administrator can log on. is there anyway around that?...

  The only way to get around is by knowing the admin password.
  =====
  
  
  Remove the following from Add/Remove programs
  
  Viewpoint
  =====
  
  
  Run HiJackThis then:
  
  1. Click "Open the Misc Tools Section"
  2. Click "Open Process manager"
  
  -
  
  Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
  
  C:\WINDOWS\system32\rwinksai.exe
  C:\WINDOWS\system32\gah95on6.exe
  C:\WINDOWS\system32\irssyncd.exe
  C:\Program Files\webHancer\Programs\whSurvey.exe
  
  Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
  =====
  
  
  Open HijackThis
  - Click the Do a system scan only button
  - Check the following entries (below)
  
  R3 - Default URLSearchHook is missing
  
  O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyuqe.dll
  O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
  
  O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
  O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
  O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinksai.exe IMG001
  O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
  O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinksai.exe
  
  O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
  
  O15 - Trusted Zone: *.elitemediagroup.net
  O15 - Trusted Zone: http://click.getmirar.com (HKLM)
  O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
  O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
  
  O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
  
  O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
  
  - Close ALL open windows
  Click Fix Checked
  =====
  
  View hidden files and folders – explained here
  
  =====
  
  
  Find and Delete the following, if found:
  
  C:\WINDOWS\system32\irsmyuqe.dll << This file
  C:\WINDOWS\system32\irssyncd.exe << This file
  C:\WINDOWS\system32\gah95on6.exe << This file
  C:\WINDOWS\system32\rwinksai.exe << This file
  
  C:\Program Files\webHancer << this folder
  C:\Porgram Files\Common Files\WinTools << this folder
  C:\Program Files\Jalmp << this folder
  =====
  
  
  Reboot and post a new HJT log
  
  

  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  • C:\Program Files\laah\pmac.exe
  • Click on the submit button
  • Please post the results in your next reply.

  0
• A7X311

  February 2006 edited February 2006

  thanks alot for your help man, my computer has gotten alot better i'm not sure if it still has pop-ups or not, but i had one this morning before i did all the stuff you told me to do, but one is ok. i did everything you said and here is the new HJT log.....
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 9:35:03 AM, on 2/23/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\iTunes\iTunesHelper.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  C:\Program Files\iPod\bin\iPodService.exe
  C:\Program Files\AutoCAD 2005\acad.exe
  C:\DOCUME~1\jmorris\LOCALS~1\Temp\AdskCleanup.0001
  C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
  C:\HJT\HijackThis.exe
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
  O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
  O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
  O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
  O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
  O4 - HKCU\..\Run: [Lroo] "C:\Program Files\laah\pmac.exe" -vt yazb
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
  O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
  O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
  O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
  O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
  O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
  O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
  O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fg.foresite.local
  O17 - HKLM\Software\..\Telephony: DomainName = fg.foresite.local
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fg.foresite.local
  O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
  O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
  O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  
  
  ::Report End
  
  
  
  and here is the jotti's malware scan...
  
  The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
  
  i appreciate all you have done for me so far, please take a look at this and let me know if you see anything else!!!! thanks

  0
• Trogan London, UK

  February 2006 edited February 2006

  Not much left now
  
  Can you remove the following with HJT:
  
  O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
  
  Then, find and Delete the following folder:
  
  C:\Porgram Files\Common Files\WinTools << this folder
  
  
  Reboot! No need to post a new HJT log yet.
  
  Do you have a Firewall?
  =====
  
  
  I cant find much info on the following file.
  
  --C:\Program Files\laah\pmac.exe--
  
  Was hoping Jottis Scan with provide something.
  
  
  Do you use macs by any chance?

  0
• A7X311

  February 2006 edited February 2006

  hey, i deleted the file on HJT, but i couldn't find the WinTools file at all. I don't think i have a firewall, the anti-virus program is ran by symantec. i didn't see anything about a firewall. yesterday i still had a couple of pop-ups, but that was it so i think we got everything for the most part. do you think i should delete that mac file that we don't know what it is? thanks for all your help man and i hope to hear from ya.

  0
• Trogan London, UK

  February 2006 edited February 2006

  A Firewall should stop some of the other popups you are getting.
  
  Don't worry too much about the WinTools folder. It may have been deleted
  
  Before we remove the pmac.exe file, lets do one more scan.
  
  Can you copy and paste the following file path here. Paste it into the box at the top and hit SEND
  
  C:\Program Files\laah\pmac.exe
  
  If the scans come back as "no virus found", then you can leave it. If it shows something else, do the following:
  
  Remove this entry with HJT:
  
  O4 - HKCU\..\Run: [Lroo] "C:\Program Files\laah\pmac.exe" -vt yazb
  
  Next, find and Delete the following folder:
  
  C:\Program Files\laah
  =====
  
  
  Choose ONE of these free software Firewalls.
  
  Zone Alarm
  Sygate
  Sunbelt Kerio PF
  =====
  
  
  Reboot and post a new HJT log

  0