Options
Search Assistant Problems
I have followed the outline steps within the posted sticky thread, but I can not locate any of the services to "stop" for step 4. I also tried the addition steps noted in the thread with the "get ative services" log without any luck.
So... Now I am posting my Active.txt file and HJT scan results for any help.
The computer is probably infected with additional problems but the Search Assistant is one that shows up in the Add/Remove Programs List, so it needs to be removed. The computer is plaged with pop-ups and now has annoying green links that materialize for given words throughout Internet Explorer. The links are irrelevant to the webpage, I am not sure if this is also attributed to the Search Assistant Program. Any help is appreciated...
Mirar is also another annoying infection we have been battling.
Active.txt
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Background Intelligent Transfer Service: BITS
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
HID Input Service: HidServ
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 5:44:56 PM, on 2/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\??erinit.exe
C:\Program Files\steh\erec.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\HOME USERS_2\Desktop\HJT\hijackthis_199\HijackThis.exe
R3 - URLSearchHook: (no name) - {E07E27EC-EA5C-C0A0-7DE5-B39EFD4205E2} - C:\WINDOWS\System32\vzht.dll
O1 - Hosts: (null) onlineaccounts2.abbeynational.co.uk
O1 - Hosts: (null) www3.aibgbonline.co.uk
O1 - Hosts: (null) www.bank.alliance-leicester.co.uk
O1 - Hosts: (null) login.iblogin.com
O1 - Hosts: (null) ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: (null) inet.barclays.co.uk
O1 - Hosts: (null) iibank.barclays.co.uk
O1 - Hosts: (null) iibank.cahoot.com
O1 - Hosts: (null) www3.coventrybuildingsociety.co.uk
O1 - Hosts: (null) ww.hsbc.co.uk
O1 - Hosts: (null) login.ebank.offshore.hsbc.co.je
O1 - Hosts: (null) ww3.online-offshore.lloydstsb.com
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ob2.nationet.com
O1 - Hosts: (null) ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: (null) ww1.nwolb.com
O1 - Hosts: (null) ww1.onlinebanking.iombank.com
O1 - Hosts: (null) ww1.www.rbsdigital.com
O1 - Hosts: (null) welcome.smile.co.uk
O1 - Hosts: (null) login.365online.com
O1 - Hosts: (null) wvw.citizensbankonline.com
O1 - Hosts: (null) esecure.regionsnet.com
O1 - Hosts: (null) rollb.associatedbank.com
O1 - Hosts: (null) upb.unionplanters.com
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) inet.southtrustonlinebanking.com
O1 - Hosts: (null) logon.personal.wamu.com
O1 - Hosts: (null) login.compassweb.com
O1 - Hosts: (null) logon.firstmeritib.com
O1 - Hosts: (null) login.ccfcuonline.org
O1 - Hosts: (null) ww3.etimebanker.bankofthewest.com
O1 - Hosts: (null) ww2.onlinebanking.lasallebank.com
O1 - Hosts: (null) wvw.totallyfreebanking.com
O1 - Hosts: (null) www.online.wellsfargo.com
O1 - Hosts: (null) www.onlinebanking.bankofoklahoma.com
O1 - Hosts: (null) accounts4.keybank.com
O1 - Hosts: (null) logon.bankone.com
O1 - Hosts: (null) www.secure.tdbanknorth.com
O1 - Hosts: (null) www.secure.mvnt4.com
O1 - Hosts: (null) ww.mynfbonline.com
O1 - Hosts: (null) login.forumcuonline.com
O1 - Hosts: (null) www.eds.usersonlnet.com
O1 - Hosts: (null) www.onlineid.bankofamerica.com
O1 - Hosts: (null) wvw.e-gold.com
O1 - Hosts: (null) pcbs.peoples.com
O1 - Hosts: (null) www.global1.onlinebank.com
O1 - Hosts: (null) ww2.mybranch.lafcu.com
O1 - Hosts: (null) login.webbanking.comerica.com
O1 - Hosts: (null) web.banking.firsttennessee.com
O1 - Hosts: (null) logon.members1st.org
O1 - Hosts: (null) www.cib.ibanking-services.com
O1 - Hosts: (null) www.miwebbusbank.ebanking-services.com
O1 - Hosts: (null) wvw.paypal.com
O1 - Hosts: (null) www.signin.ebay.com
O1 - Hosts: (null) wvw.etrade.com
O1 - Hosts: (null) ww4.fleethomelink.fleet.com
O1 - Hosts: (null) ww3.connect.skyfi.com
O1 - Hosts: (null) www6.usbank.com
O1 - Hosts: (null) www.bvi.bancodevalencia.es
O1 - Hosts: (null) extrant.banesto.es
O1 - Hosts: (null) banesnt.banesto.es
O1 - Hosts: (null) activia.caixagalicia.es
O1 - Hosts: (null) www.bancae.caixapenedes.com
O1 - Hosts: (null) login.caixasabadell.net
O1 - Hosts: (null) oii.cajamadrid.es
O1 - Hosts: (null) login.cajamar.es
O1 - Hosts: (null) login.ccm.es
O1 - Hosts: (null) ww.unicaja.es
O1 - Hosts: (null) www5.bancopopular.es
O1 - Hosts: (null) ww3.bbvanet.com
O1 - Hosts: (null) ww.bayernlb.de
O1 - Hosts: (null) ww2.berliner-volksbank.de
O1 - Hosts: (null) ww7.homebanking-berlin.de
O1 - Hosts: (null) portal09.commerzbanking.de
O1 - Hosts: (null) www.meine.deutsche-bank.de
O1 - Hosts: (null) ww2.dresdner-privat.de
O1 - Hosts: (null) ww.e-banking.helaba.de
O1 - Hosts: (null) ww.hsh-nordbank.de
O1 - Hosts: (null) www.my.hypovereinsbank.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) www.banking.lbbw.de
O1 - Hosts: (null) lrp.sparkasse-banking.de
O1 - Hosts: (null) ww3.homebanking-niedersachsen.de
O1 - Hosts: (null) www.onlinebanking.norisbank.de
O1 - Hosts: (null) www.banking.postbank.de
O1 - Hosts: (null) wvw.internetbanking.gad.de
O1 - Hosts: (null) ww1.portal.izb.de
O1 - Hosts: (null) wvw.kunden-service.lbs.de
O1 - Hosts: (null) ibanking.seb.de
O1 - Hosts: (null) bw7.sparkasse-banking.de
O1 - Hosts: (null) ww2.homebanking-sparkasse.de
O1 - Hosts: (null) ww2.vr-networld-ebanking.de
O1 - Hosts: (null) ww.bics.fr
O1 - Hosts: (null) www.co.caixabank.fr
O1 - Hosts: (null) ww.creditmutuel.fr
O1 - Hosts: (null) internetbank.intesabci.it
O1 - Hosts: (null) ww.extensive.bancalombarda.it
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nst71.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmlbef.dll
O2 - BHO: (no name) - {E07E27EC-EA5C-C0A0-7DE5-B39EFD4205E2} - C:\WINDOWS\System32\vzht.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinrsap.exe FI002
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe
O4 - HKCU\..\Run: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [Cyasenec] C:\WINDOWS\System32\??erinit.exe
O4 - HKCU\..\Run: [Content Manager Subsystem] cmss.exe
O4 - HKCU\..\Run: [Lcno] "C:\Program Files\steh\erec.exe" -vt ndrv
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinrsap.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/godspeed/grinstall_gsm1009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131346266764
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe (file missing)
Thanks in advance....
So... Now I am posting my Active.txt file and HJT scan results for any help.
The computer is probably infected with additional problems but the Search Assistant is one that shows up in the Add/Remove Programs List, so it needs to be removed. The computer is plaged with pop-ups and now has annoying green links that materialize for given words throughout Internet Explorer. The links are irrelevant to the webpage, I am not sure if this is also attributed to the Search Assistant Program. Any help is appreciated...
Mirar is also another annoying infection we have been battling.
Active.txt
These are the Current Active Services:
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Background Intelligent Transfer Service: BITS
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Fast User Switching Compatibility: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
HID Input Service: HidServ
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
hijackthis.log
Logfile of HijackThis v1.99.1
Scan saved at 5:44:56 PM, on 2/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\??erinit.exe
C:\Program Files\steh\erec.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\HOME USERS_2\Desktop\HJT\hijackthis_199\HijackThis.exe
R3 - URLSearchHook: (no name) - {E07E27EC-EA5C-C0A0-7DE5-B39EFD4205E2} - C:\WINDOWS\System32\vzht.dll
O1 - Hosts: (null) onlineaccounts2.abbeynational.co.uk
O1 - Hosts: (null) www3.aibgbonline.co.uk
O1 - Hosts: (null) www.bank.alliance-leicester.co.uk
O1 - Hosts: (null) login.iblogin.com
O1 - Hosts: (null) ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: (null) inet.barclays.co.uk
O1 - Hosts: (null) iibank.barclays.co.uk
O1 - Hosts: (null) iibank.cahoot.com
O1 - Hosts: (null) www3.coventrybuildingsociety.co.uk
O1 - Hosts: (null) ww.hsbc.co.uk
O1 - Hosts: (null) login.ebank.offshore.hsbc.co.je
O1 - Hosts: (null) ww3.online-offshore.lloydstsb.com
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ob2.nationet.com
O1 - Hosts: (null) ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: (null) ww1.nwolb.com
O1 - Hosts: (null) ww1.onlinebanking.iombank.com
O1 - Hosts: (null) ww1.www.rbsdigital.com
O1 - Hosts: (null) welcome.smile.co.uk
O1 - Hosts: (null) login.365online.com
O1 - Hosts: (null) wvw.citizensbankonline.com
O1 - Hosts: (null) esecure.regionsnet.com
O1 - Hosts: (null) rollb.associatedbank.com
O1 - Hosts: (null) upb.unionplanters.com
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) inet.southtrustonlinebanking.com
O1 - Hosts: (null) logon.personal.wamu.com
O1 - Hosts: (null) login.compassweb.com
O1 - Hosts: (null) logon.firstmeritib.com
O1 - Hosts: (null) login.ccfcuonline.org
O1 - Hosts: (null) ww3.etimebanker.bankofthewest.com
O1 - Hosts: (null) ww2.onlinebanking.lasallebank.com
O1 - Hosts: (null) wvw.totallyfreebanking.com
O1 - Hosts: (null) www.online.wellsfargo.com
O1 - Hosts: (null) www.onlinebanking.bankofoklahoma.com
O1 - Hosts: (null) accounts4.keybank.com
O1 - Hosts: (null) logon.bankone.com
O1 - Hosts: (null) www.secure.tdbanknorth.com
O1 - Hosts: (null) www.secure.mvnt4.com
O1 - Hosts: (null) ww.mynfbonline.com
O1 - Hosts: (null) login.forumcuonline.com
O1 - Hosts: (null) www.eds.usersonlnet.com
O1 - Hosts: (null) www.onlineid.bankofamerica.com
O1 - Hosts: (null) wvw.e-gold.com
O1 - Hosts: (null) pcbs.peoples.com
O1 - Hosts: (null) www.global1.onlinebank.com
O1 - Hosts: (null) ww2.mybranch.lafcu.com
O1 - Hosts: (null) login.webbanking.comerica.com
O1 - Hosts: (null) web.banking.firsttennessee.com
O1 - Hosts: (null) logon.members1st.org
O1 - Hosts: (null) www.cib.ibanking-services.com
O1 - Hosts: (null) www.miwebbusbank.ebanking-services.com
O1 - Hosts: (null) wvw.paypal.com
O1 - Hosts: (null) www.signin.ebay.com
O1 - Hosts: (null) wvw.etrade.com
O1 - Hosts: (null) ww4.fleethomelink.fleet.com
O1 - Hosts: (null) ww3.connect.skyfi.com
O1 - Hosts: (null) www6.usbank.com
O1 - Hosts: (null) www.bvi.bancodevalencia.es
O1 - Hosts: (null) extrant.banesto.es
O1 - Hosts: (null) banesnt.banesto.es
O1 - Hosts: (null) activia.caixagalicia.es
O1 - Hosts: (null) www.bancae.caixapenedes.com
O1 - Hosts: (null) login.caixasabadell.net
O1 - Hosts: (null) oii.cajamadrid.es
O1 - Hosts: (null) login.cajamar.es
O1 - Hosts: (null) login.ccm.es
O1 - Hosts: (null) ww.unicaja.es
O1 - Hosts: (null) www5.bancopopular.es
O1 - Hosts: (null) ww3.bbvanet.com
O1 - Hosts: (null) ww.bayernlb.de
O1 - Hosts: (null) ww2.berliner-volksbank.de
O1 - Hosts: (null) ww7.homebanking-berlin.de
O1 - Hosts: (null) portal09.commerzbanking.de
O1 - Hosts: (null) www.meine.deutsche-bank.de
O1 - Hosts: (null) ww2.dresdner-privat.de
O1 - Hosts: (null) ww.e-banking.helaba.de
O1 - Hosts: (null) ww.hsh-nordbank.de
O1 - Hosts: (null) www.my.hypovereinsbank.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) www.banking.lbbw.de
O1 - Hosts: (null) lrp.sparkasse-banking.de
O1 - Hosts: (null) ww3.homebanking-niedersachsen.de
O1 - Hosts: (null) www.onlinebanking.norisbank.de
O1 - Hosts: (null) www.banking.postbank.de
O1 - Hosts: (null) wvw.internetbanking.gad.de
O1 - Hosts: (null) ww1.portal.izb.de
O1 - Hosts: (null) wvw.kunden-service.lbs.de
O1 - Hosts: (null) ibanking.seb.de
O1 - Hosts: (null) bw7.sparkasse-banking.de
O1 - Hosts: (null) ww2.homebanking-sparkasse.de
O1 - Hosts: (null) ww2.vr-networld-ebanking.de
O1 - Hosts: (null) ww.bics.fr
O1 - Hosts: (null) www.co.caixabank.fr
O1 - Hosts: (null) ww.creditmutuel.fr
O1 - Hosts: (null) internetbank.intesabci.it
O1 - Hosts: (null) ww.extensive.bancalombarda.it
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nst71.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmlbef.dll
O2 - BHO: (no name) - {E07E27EC-EA5C-C0A0-7DE5-B39EFD4205E2} - C:\WINDOWS\System32\vzht.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinrsap.exe FI002
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [immin] C:\WINDOWS\mm15201518.a.Stub.exe
O4 - HKCU\..\Run: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [Cyasenec] C:\WINDOWS\System32\??erinit.exe
O4 - HKCU\..\Run: [Content Manager Subsystem] cmss.exe
O4 - HKCU\..\Run: [Lcno] "C:\Program Files\steh\erec.exe" -vt ndrv
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinrsap.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/godspeed/grinstall_gsm1009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131346266764
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe (file missing)
Thanks in advance....
0
Comments
Can you do the following please:
Download the PurityScan uninstaller..
Click on the link given and download the tool to your desktop.
Close ALL open browsers and programs
Next, open the file and enter the 4-character code shown. Once the code is entered correctly, click Uninstall.
=====
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Once in Safe Mode, please run Ewido (Do not use the computer while Ewido is scanning as it may interrupt the scan)
- Click on scanner
- Click Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoRestart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
Logfile of HijackThis v1.99.1
Scan saved at 11:19:26 AM, on 2/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\steh\erec.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HOME USERS\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\n?lookup.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R3 - URLSearchHook: (no name) - {67C73F4C-A3F3-8A52-8C5C-A87F136C81B1} - C:\WINDOWS\System32\unhsj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: (null) onlineaccounts2.abbeynational.co.uk
O1 - Hosts: (null) www3.aibgbonline.co.uk
O1 - Hosts: (null) www.bank.alliance-leicester.co.uk
O1 - Hosts: (null) login.iblogin.com
O1 - Hosts: (null) ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: (null) inet.barclays.co.uk
O1 - Hosts: (null) iibank.barclays.co.uk
O1 - Hosts: (null) iibank.cahoot.com
O1 - Hosts: (null) www3.coventrybuildingsociety.co.uk
O1 - Hosts: (null) ww.hsbc.co.uk
O1 - Hosts: (null) login.ebank.offshore.hsbc.co.je
O1 - Hosts: (null) ww3.online-offshore.lloydstsb.com
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online.lloydstsb.co.uk
O1 - Hosts: (null) ww3.online-business.lloydstsb.co.uk
O1 - Hosts: (null) ob2.nationet.com
O1 - Hosts: (null) ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: (null) ww1.nwolb.com
O1 - Hosts: (null) ww1.onlinebanking.iombank.com
O1 - Hosts: (null) ww1.www.rbsdigital.com
O1 - Hosts: (null) welcome.smile.co.uk
O1 - Hosts: (null) login.365online.com
O1 - Hosts: (null) wvw.citizensbankonline.com
O1 - Hosts: (null) esecure.regionsnet.com
O1 - Hosts: (null) rollb.associatedbank.com
O1 - Hosts: (null) upb.unionplanters.com
O1 - Hosts: (null) www.onlinebanking.huntington.com
O1 - Hosts: (null) inet.southtrustonlinebanking.com
O1 - Hosts: (null) logon.personal.wamu.com
O1 - Hosts: (null) login.compassweb.com
O1 - Hosts: (null) logon.firstmeritib.com
O1 - Hosts: (null) login.ccfcuonline.org
O1 - Hosts: (null) ww3.etimebanker.bankofthewest.com
O1 - Hosts: (null) ww2.onlinebanking.lasallebank.com
O1 - Hosts: (null) wvw.totallyfreebanking.com
O1 - Hosts: (null) www.online.wellsfargo.com
O1 - Hosts: (null) www.onlinebanking.bankofoklahoma.com
O1 - Hosts: (null) accounts4.keybank.com
O1 - Hosts: (null) logon.bankone.com
O1 - Hosts: (null) www.secure.tdbanknorth.com
O1 - Hosts: (null) www.secure.mvnt4.com
O1 - Hosts: (null) ww.mynfbonline.com
O1 - Hosts: (null) login.forumcuonline.com
O1 - Hosts: (null) www.eds.usersonlnet.com
O1 - Hosts: (null) www.onlineid.bankofamerica.com
O1 - Hosts: (null) wvw.e-gold.com
O1 - Hosts: (null) pcbs.peoples.com
O1 - Hosts: (null) www.global1.onlinebank.com
O1 - Hosts: (null) ww2.mybranch.lafcu.com
O1 - Hosts: (null) login.webbanking.comerica.com
O1 - Hosts: (null) web.banking.firsttennessee.com
O1 - Hosts: (null) logon.members1st.org
O1 - Hosts: (null) www.cib.ibanking-services.com
O1 - Hosts: (null) www.miwebbusbank.ebanking-services.com
O1 - Hosts: (null) wvw.paypal.com
O1 - Hosts: (null) www.signin.ebay.com
O1 - Hosts: (null) wvw.etrade.com
O1 - Hosts: (null) ww4.fleethomelink.fleet.com
O1 - Hosts: (null) ww3.connect.skyfi.com
O1 - Hosts: (null) www6.usbank.com
O1 - Hosts: (null) www.bvi.bancodevalencia.es
O1 - Hosts: (null) extrant.banesto.es
O1 - Hosts: (null) banesnt.banesto.es
O1 - Hosts: (null) activia.caixagalicia.es
O1 - Hosts: (null) www.bancae.caixapenedes.com
O1 - Hosts: (null) login.caixasabadell.net
O1 - Hosts: (null) oii.cajamadrid.es
O1 - Hosts: (null) login.cajamar.es
O1 - Hosts: (null) login.ccm.es
O1 - Hosts: (null) ww.unicaja.es
O1 - Hosts: (null) www5.bancopopular.es
O1 - Hosts: (null) ww3.bbvanet.com
O1 - Hosts: (null) ww.bayernlb.de
O1 - Hosts: (null) ww2.berliner-volksbank.de
O1 - Hosts: (null) ww7.homebanking-berlin.de
O1 - Hosts: (null) portal09.commerzbanking.de
O1 - Hosts: (null) www.meine.deutsche-bank.de
O1 - Hosts: (null) ww2.dresdner-privat.de
O1 - Hosts: (null) ww.e-banking.helaba.de
O1 - Hosts: (null) ww.hsh-nordbank.de
O1 - Hosts: (null) www.my.hypovereinsbank.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) ww3.homebanking-berlin.de
O1 - Hosts: (null) www.banking.lbbw.de
O1 - Hosts: (null) lrp.sparkasse-banking.de
O1 - Hosts: (null) ww3.homebanking-niedersachsen.de
O1 - Hosts: (null) www.onlinebanking.norisbank.de
O1 - Hosts: (null) www.banking.postbank.de
O1 - Hosts: (null) wvw.internetbanking.gad.de
O1 - Hosts: (null) ww1.portal.izb.de
O1 - Hosts: (null) wvw.kunden-service.lbs.de
O1 - Hosts: (null) ibanking.seb.de
O1 - Hosts: (null) bw7.sparkasse-banking.de
O1 - Hosts: (null) ww2.homebanking-sparkasse.de
O1 - Hosts: (null) ww2.vr-networld-ebanking.de
O1 - Hosts: (null) ww.bics.fr
O1 - Hosts: (null) www.co.caixabank.fr
O1 - Hosts: (null) ww.creditmutuel.fr
O1 - Hosts: (null) internetbank.intesabci.it
O1 - Hosts: (null) ww.extensive.bancalombarda.it
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nst71.dll
O2 - BHO: (no name) - {32913C12-A0F6-DE57-8E5C-A87F136C81BE} - C:\WINDOWS\System32\ano.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C73F4C-A3F3-8A52-8C5C-A87F136C81B1} - C:\WINDOWS\System32\unhsj.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmlbef.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinrsap.exe FI002
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [Lcno] "C:\Program Files\steh\erec.exe" -vt ndrv
O4 - HKCU\..\Run: [Oqi] C:\WINDOWS\System32\n?lookup.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/godspeed/grinstall_gsm1009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131346266764
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe (file missing)
Here is the EWIDO Report:
ewido anti-malware - Scan report
+ Created on: 11:15:18 AM, 2/5/2006
+ Report-Checksum: CED84CB3
+ Scan result:
HKLM\SOFTWARE\Clickspring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
C:\clogs.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@abetterinternet[2].txt[/email] -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@ad.yieldmanager[2].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@adopt.specificclick[2].txt[/email] -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@com[1].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@e-2dj6wfk4sgd5scq.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@e-2dj6wjlocjazofo.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@e-2dj6wjnyomdzcfp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@msnportal.112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@tribalfusion[2].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@www.burstbeacon[1].txt[/email] -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@www.myaffiliateprogram[1].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\HOME USERS\Cookies\home [email]users@yieldmanager[2].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HOME USERS\Local Settings\Temp\ysb.dll -> Spyware.YourSiteBar : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@ad.yieldmanager[1].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@ads.pointroll[1].txt[/email] -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@adtech[2].txt[/email] -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@anheuserbusch.122.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@as-eu.falkag[1].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@as-us.falkag[1].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@casalemedia[2].txt[/email] -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@data4.perf.overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@microsofteup.112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@microsoftwga.112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@perf.overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@pro-market[2].txt[/email] -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@questionmarket[1].txt[/email] -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@revenue[2].txt[/email] -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@sel.as-us.falkag[1].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@tradedoubler[1].txt[/email] -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@tribalfusion[1].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@www.myaffiliateprogram[2].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\HOME USERS_2\Cookies\home [email]users_2@z1.adserver[1].txt[/email] -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\flogh.exe/update-sp2.html -> Trojan.Lowzone.AL : Error during cleaning
C:\flogh.exe/y.bat -> Trojan.Zapchast : Error during cleaning
C:\gbh.exe/update-sp2.html -> Trojan.Lowzone.AL : Error during cleaning
C:\gbh.exe/y.bat -> Trojan.Zapchast : Error during cleaning
C:\gfhbh.exe/update-sp2.html -> Trojan.Lowzone.AL : Error during cleaning
C:\gfhbh.exe/y.bat -> Trojan.Zapchast : Error during cleaning
C:\tfdeh.exe/update-sp2.html -> Trojan.Lowzone.AL : Error during cleaning
C:\tfdeh.exe/y.bat -> Trojan.Zapchast : Error during cleaning
C:\trngh.exe/update-sp2.html -> Trojan.Lowzone.AL : Error during cleaning
C:\trngh.exe/y.bat -> Trojan.Zapchast : Error during cleaning
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N57M2811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UERSNetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UERS_0001_NI57M1124NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\USYP_0001_N57M2911NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\v3.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\apha32.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\b2search.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GZY1IDGL\clogs[1].rar -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\system32\cxdxregt.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\system32\DrPMon.dll_tobedeleted -> Trojan.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\irismon.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\rjdsregl.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinrsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\TFTP2824 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\wodxregq.exe -> Trojan.Zx.12 : Cleaned with backup
C:\WINDOWS\system32\ysysqs6d.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\ysysqsiz.exe -> Spyware.ZenoSearch : Cleaned with backup
C:\WINDOWS\update-sp2.html -> Trojan.Lowzone.AL : Cleaned with backup
C:\WINDOWS\y.bat -> Trojan.Zapchast : Cleaned with backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup
::Report End
Go to Add/Remove programs in Control Panel and look for the following
steh
Oqi
If found, please uninstall.
=====
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\Program Files\steh\erec.exe
C:\WINDOWS\system32\rwinrsap.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
=====
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R3 - URLSearchHook: (no name) - {67C73F4C-A3F3-8A52-8C5C-A87F136C81B1} - C:\WINDOWS\System32\unhsj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
---ALL of the O1 - Host entries---
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\System32\nst71.dll
O2 - BHO: (no name) - {32913C12-A0F6-DE57-8E5C-A87F136C81BE} - C:\WINDOWS\System32\ano.dll
O2 - BHO: (no name) - {67C73F4C-A3F3-8A52-8C5C-A87F136C81B1} - C:\WINDOWS\System32\unhsj.dll
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmlbef.dll
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\rwinrsap.exe FI002
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [Lcno] "C:\Program Files\steh\erec.exe" -vt ndrv
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/...er/Install.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.co...ll_gsm1009.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe (file missing)
- Close ALL open windows
Click Fix Checked
=====
View hidden files and folders – explained here
=====
Find and Delete the following, if found:
C:\Program Files\steh << this folder
C:\WINDOWS\System32\unhsj.dll << this file
C:\WINDOWS\System32\nst71.dll << this file
C:\WINDOWS\System32\ano.dll << this file
C:\WINDOWS\System32\irsmlbef.dll << this file
C:\WINDOWS\system32\rwinrsap.exe << this file
C:\WINDOWS\System32\wuapi.exe << this file
C:\WINDOWS\System32\netddesrv.exe << this file
C:\WINDOWS\sysmanager.exe << this file
If you get an "Access Denied" message, then please go into Safe Mode to delete the files/folders
=====
Reboot and post a new HJT log
Did you run the purityscan un-installer?
But I did not have any pop-ups this time when I opened Explorer and I do not see any of the random green links now either. What's next? This seems to be working great...
Here is the latest Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:18:58 PM, on 2/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\n?lookup.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HOME USERS\Desktop\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Oqi] C:\WINDOWS\System32\n?lookup.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131346266764
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Can you please do the following.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\System32\n?lookup.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Scan with HiJackThis, then check(tick) the following, if present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O4 - HKCU\..\Run: [Oqi] C:\WINDOWS\System32\n?lookup.exe
O4 - HKCU\..\RunServices: [Content Manager Subsystem] cmss.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/...er/Install.cab
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
Search for...
cmss.exe
...using "Start | Search...".
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
====
Go to;
Start>>Run and type regedit
Press enter.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Automatic Update Service (Automatic Update)
If Automatic Update Service (Automatic Update) exists , right click on it and choose delete from the menu.
Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Automatic Update Service (Automatic Update)
If LEGACY_Automatic Update Service (Automatic Update) exists then right click on it and choose delete from the menu.
Repeat that procedure for the following entry;
NetDDE Server (NetDDEsrv)
-
Reboot.
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
After rebooting, rescan with hijackthis and post back a new log.
Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.