Tech Support Forum banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Hi I know there have been a couple of threads like this but in looking at each one it appears that the instructions vary. So if you can help I appreciate it.


This is my log. :4-dontkno

Logfile of HijackThis v1.99.1
Scan saved at 8:10:17 PM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire 4.0.8\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rich Pelkofsky\Local Settings\Temporary Internet Files\Content.IE5\WTMFSDUN\HijackThis[1].exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.infospace.com/info.cable...orms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.infospace.com/info.cable...orms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SDWin32 Class - {5B538FA5-8E45-4870-A9C4-38939D5938DD} - C:\WINDOWS\system32\xnfpw.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Z9r2RWjmh] verbkup.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\WINDOWS\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://enroll.farmfamily.com/CertControl/xenrlinf.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - https://onbase37.farmfamily.com/ASP...s/OBXViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1123131353186
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - https://onbase37.farmfamily.com/ASP...s/OBXSelect.cab
O16 - DPF: {8B2808C6-118A-407B-81DE-1127D33284CE} (OBXKeywordPanel Control) - https://onbase37.farmfamily.com/ASP...eywordPanel.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://navagility.webex.com/client...bex/ieatgpc.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gm...cdetection3.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: heimeat - Unknown owner - C:\WINDOWS\system32\heimeat.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe :
 

·
Premium Member
Joined
·
14,311 Posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WeirdOnTheWeb
WinTools
Ebates MoeMoneyMaker


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: SDWin32 Class - {5B538FA5-8E45-4870-A9C4-38939D5938DD} - C:\WINDOWS\system32\xnfpw.dll
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Z9r2RWjmh] verbkup.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000079-d.exe
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O23 - Service: heimeat - Unknown owner - C:\WINDOWS\system32\heimeat.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\enhtb.dll
C:\WINDOWS\system32\xnfpw.dll
C:\Program Files\WeirdOnTheWeb\
C:\PROGRA~1\COMMON~1\WinTools\
verbkup.exe
C:\Program Files\Common Files\mc-58-12-0000079-d.exe
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\
C:\WINDOWS\system32\heimeat.exe


Restart and run a new HijackThis scan. Save the log file and post it here.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
Stage one complete

Thanks for your help :smile:

Attached is my latest Log.

Logfile of HijackThis v1.99.1
Scan saved at 8:31:51 PM, on 8/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\WINDOWS\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://enroll.farmfamily.com/CertControl/xenrlinf.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123131353186
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXSelect.cab
O16 - DPF: {8B2808C6-118A-407B-81DE-1127D33284CE} (OBXKeywordPanel Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXKeywordPanel.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://navagility.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello rpelkofsky,

Nice job. :smile: I'd like to run one more scan though to be sure nothing else is lingering:

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with another HijackThis log

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #5 ·
hijack this rescan

Logfile of HijackThis v1.99.1
Scan saved at 8:41:51 PM, on 8/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Aim\aim.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim\aim.exe -cnetwait.odl
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\WINDOWS\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - https://enroll.farmfamily.com/CertControl/xenrlinf.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123131353186
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXSelect.cab
O16 - DPF: {8B2808C6-118A-407B-81DE-1127D33284CE} (OBXKeywordPanel Control) - https://onbase37.farmfamily.com/ASPWEB/Applets/OBXKeywordPanel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {C4F8560C-708E-4553-B82A-AD0F236EDEEB} - https://na1.salesforce.com/setup/outlook/setups/outlook.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://navagility.webex.com/client/v_mywebex/webex/ieatgpc.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


Panda scan

Incident Status Location

Adware:adware/hotoffers No disinfected C:\WINDOWS\SYSTEM32\pharmacy.ico
Adware:adware/adlogix No disinfected C:\WINDOWS\SYSTEM32\sp32.xml
Adware:adware/twain-tech No disinfected C:\WINDOWS\SATMAT.INI
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\loadclean.exe
Adware:adware/novo No disinfected
Windows Registry
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Adware:adware/wintools No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[Uninstall.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[bargains.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[adv.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[adx.exe]
Possible Virus. No disinfected C:\WINDOWS\JAVA\javainfo.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.INI
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
Virus:Trj/Runet.A Disinfected C:\WINDOWS\_hp.html
Virus:Trj/Downloader.BTV Disinfected C:\WINDOWS\loadclean.exe
Virus:Trj/Imiserv.I Disinfected C:\WINDOWS\enhuninstall.exe
Adware:Adware/Thecoolbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\060C22EE-51AC-4860-9269-A3454F\F0713685-8834-48B6-9B09-EDA16A
Spyware:Spyware/BargainBuddy No disinfected C:\temp\logo.gif
Adware:Adware/nCase No disinfected C:\Documents and Settings\Rich Pelkofsky\Local Settings\Temporary Internet Files\Content.IE5\FYGJRLWD\prompt_ie_win[1].js
Adware:Adware/nCase No disinfected C:\Documents and Settings\Rich Pelkofsky\Local Settings\Temporary Internet Files\Content.IE5\8ZLVI63X\init[1].js
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode.(tapping F8 or F5)

Click START…RUN…Type in regedit to make backup copys of the registry

Start>>>Run>>> Type in regedt32. To make any changes to registry keys/folders involving any folder permissions. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRE NTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\pharmacy.ico
C:\WINDOWS\SYSTEM32\sp32.xml
C:\WINDOWS\SATMAT.INI
C:\WINDOWS\loadclean.exe
C:\WINDOWS\SYSTEM\mac80ex.idf[msbe.dll]
C:\WINDOWS\SYSTEM\mac80ex.idf[Uninstall.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[bargains.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adv.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adx.exe]
C:\WINDOWS\JAVA\javainfo.exe
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
C:\temp\logo.gif


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [NO] at the Pending Operations prompt.

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode and run another scan with Panda and post it here again.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #7 ·
the panda scan

Incident Status Location

Adware:adware/adlogix No disinfected C:\WINDOWS\SYSTEM32\retpdat32.xml
Spyware:spyware/betterinet No disinfected
Windows Registry
Spyware:Spyware/BargainBuddy No disinfected
C:\!Submit\logo.gif
Adware:Adware/Thecoolbar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\060C22EE-51AC-4860-9269-A3454F\F0713685-8834-48B6-9B09-EDA16A
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Reboot into Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\retpdat32.xml
C:\!Submit\logo.gif


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Delete the following folder if it still exists:

C:\!Submit

Restart back into Normal Mode. If there aren't any more problems you should be all set. Please do the following:

Reset hidden/system files and folders

Windows 2000
===============
Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View tab.
*Select the Advanced settings box option.
*Select the Hidden files Folders.
*Deselect/I] the Show all files option.
Click Yes to confirm.
Click OK.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:
HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/index.php?showtopic=3051
THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent
MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top