Tech Support Forum banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
35 Posts
Discussion Starter · #1 ·
We've had a problem the last week or so with these popups. They originate from searc-h.com but quickly change to a different address -- a poker site, adopt.hotbar, passion.com, icann, etc. I've done HJT and can't find anything. I've deleted a bunch of dll's that were suspicious but they keep coming back. Someone please help me!!! The popups are very irritating and occasionally verge on risque. They come up even if we don't have our browser up. We walk away from the computer, come back in 10 min., and there's 3 or more pop up windows sitting there. Our popup blocker catches some (especially the ones that try to popup as you close another) but no where near all of them. I'll post a HJT log but I don't think you'll find anything. Any help is appreciated. Thanks so much.

Jen Silverman

Logfile of HijackThis v1.99.1
Scan saved at 8:52:44 PM, on 8/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
D:\REG CLEANER\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab


End of KRC HijackThis Analyzer Log.
 

·
Registered
Joined
·
6,574 Posts
Hi and Welcome to TSF!

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Save the next instructions in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. You should not have any browsers on.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Unplug your computer from the Internet when you have finished downloading


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO SAFE MODE
  1. Restart the computer. The computer begins processing a set of instructions known as BIOS.
  2. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
  3. Continue to do so until the 'Windows Advanced Options' menu appears.
  4. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files
  1. From Windows Explorer, go to Tools>Folder Options>View tab.
  2. Enable the option for `Show hidden files and folder´
  3. Disable the option for `Hide file extensions for known types´
  4. Disable the option for `Hide protected operating system files´
  5. Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :
  • WEATHERBUG
    BESTPOPUPKILLER
    SpyKiller

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Locate and delete the following folder(s), if present:
  • C:\PROGRAM FILES\AWS\
    C:\Program Files\SpyKiller\
    C:\Program Files\BestPopUpKiller\


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Do an online scan at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  1. HiJackThis
  2. Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #3 · (Edited)
We have to get rid of Weatherbug?? We've had it for quite a while. I've heard that it brings in a lot of adware but I didn't think it was actually dangerous. If so, however, we'll get rid of it.

Spykiller we don't use much but what about the best popup stopper? We just downloaded that recently to deal with all the popups from searc-h. Is there something better to get rid of popups? It seems like that one works very well.

Thanks for your assistance.

Jen Silverman
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #5 ·
All I can say is, I think whatever is in here is fighting back tooth and nail. What an ordeal. I did everything you said but it got more and more difficult as we went along. Here's how it went.

When I went to open antispyware.log it wouldn't open. So I went to reboot but it wouldn't shut down. It cleared the desk top and would go no further. So, I reset it. It scanned and restarted. I tried to open antispyware.log again but it wouldn't open so I went ahead and booted up in safemode. I deleted everything with no trouble. I rebooted again and went to do the scan at Panda. While it was scanning I continued to get popups. The first part of the scan went ok, I just closed the popups and they went away. Then I got a virus alert. I forgot to mention that we'd been getting these. There is two different viruses but both form a file in the Temp. Internet Folder called "content.ie5". I took care of that and the scan continued. Then I got an error message that said the hard drive was full. I minimized the browser windows and looked at the c drive. It showed full. There was no way it was full. Anyway, now the popups would not go away. They just kept stacking up on the taskbar. Finally the scan was finished. I saved the log and will copy that and my hjt log here now. Oh, I had to restart the computer to get all the popups to go away and get things working right again. When I restarted, the c drive showed the correct amount of space again. (I am, however, still getting popups).

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\AQDSD32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ASVAPI32.DLL
Adware:adware/cws.aboutblank No disinfected C:\WINDOWS\SYSTEM\crhz32.dll
Spyware:spyware/bridge No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.ocx
Adware:adware/toprebates No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client
Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:adware/sidesearch No disinfected C:\WINDOWS\APPLICATION DATA\Lycos
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\VKB32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\ASVAPI32.DLL
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\aqdsd32.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavD110.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavD1E2.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pavE2B1.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav45.TMP
Adware:Adware/Look2Me No disinfected C:\WINDOWS\TEMP\pav213.TMP
Spyware:Spyware/Searchcentrix No disinfected C:\WINDOWS\Downloaded Program Files\2020Search.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:Adware/SaveNow No disinfected D:\screensaver\lakefree.exe[lakesetup.exe][BSAVEINST.EXE]
Adware:Adware/SaveNow No disinfected D:\screensaver\autumnfree2.exe[asfree.exe][SAVENOWINST.EXE] ====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:15:59 PM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
D:\REG CLEANER\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Please download L2m9xfix here:
http://www.geekstogo.com/downloads/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder it just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat and a new Panda scan.
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #7 ·
OK. Sorry it took so long to get back. Here's everything. So far so good. Things seem to working much better. I didn't get any popups while running the panda scan. You mentioned that there are good alternatives to Weatherbug. Would you be able to recommend a safe desktop weather program that is similar? Thank you so much for your help!!!!

Jen Silverman

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:14:49 AM, on 8/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
D:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
D:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
D:\REG CLEANER\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] D:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] D:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx


End of KRC HijackThis Analyzer Log.
====================================================================
Log of L2M9XFix v1

************

Running from directory:
D:\reg cleaner\l2m9xfix

************

Files found:

C:\WINDOWS\system\ASVAPI32.DLL
C:\WINDOWS\system\ASVAPI32.DLL
C:\WINDOWS\system\ASVAPI32.DLL
C:\WINDOWS\system\ASVAPI32.DLL
C:\WINDOWS\system\cntc32.dll
C:\WINDOWS\system\cntc32.dll
C:\WINDOWS\system\cntc32.dll
C:\WINDOWS\system\cntc32.dll
C:\WINDOWS\system\mgcmk.dll
C:\WINDOWS\system\mgcmk.dll
C:\WINDOWS\system\mgcmk.dll
C:\WINDOWS\system\mgcmk.dll
C:\WINDOWS\system\nrqj32.dll
C:\WINDOWS\system\nrqj32.dll
C:\WINDOWS\system\nrqj32.dll
C:\WINDOWS\system\nrqj32.dll
C:\WINDOWS\system\susqw.dll
C:\WINDOWS\system\susqw.dll
C:\WINDOWS\system\susqw.dll
C:\WINDOWS\system\susqw.dll
C:\WINDOWS\system\VKB32.DLL
C:\WINDOWS\system\VKB32.DLL
C:\WINDOWS\system\VKB32.DLL
C:\WINDOWS\system\VKB32.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{EEF2E400-0729-11DA-A1F3-00C04F964275}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\ASVAPI32.DLL"


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

******Panda Scan (activescan.txt)*********

Incident Status Location

Adware:adware/cws.aboutblank No disinfected C:\WINDOWS\SYSTEM\crhz32.dll
Spyware:spyware/bridge No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
Adware:adware/mediatickets No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.ocx
Adware:adware/toprebates No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Adware:adware/blazefind No disinfected C:\WINDOWS\Key2.txt
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client
Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Adware:adware/sidesearch No disinfected C:\WINDOWS\APPLICATION DATA\Lycos
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Spyware:Spyware/Searchcentrix No disinfected C:\WINDOWS\Downloaded Program Files\2020Search.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinadX.inf
Adware:Adware/WinTools No disinfected C:\WINDOWS\Key2.txt
Adware:Adware/SaveNow No disinfected D:\screensaver\lakefree.exe[lakesetup.exe][BSAVEINST.EXE]
Adware:Adware/SaveNow No disinfected D:\screensaver\autumnfree2.exe[asfree.exe][SAVENOWINST.EXE]
Dialer:Dialer.Gen No disinfected D:\backup\WINDOWS\TEMP\nsiCD.exe
Dialer:Dialer.Gen No disinfected D:\backup\WINDOWS\SYSTEM\Dream_Desire-uninstall.exe
 

·
Registered
Joined
·
6,574 Posts
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM\crhz32.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\MediaTicketsInstaller.ocx
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WinadX.inf
C:\WINDOWS\INF\PYNIX.INF
C:\WINDOWS\Key2.txt
C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\Downloaded Program Files\2020Search.inf
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINDOWS\Downloaded Program Files\WinadX.inf
C:\WINDOWS\Key2.txt
D:\screensaver\lakefree.exe
D:\screensaver\autumnfree2.exe
D:\backup\WINDOWS\TEMP\nsiCD.exe
D:\backup\WINDOWS\SYSTEM\Dream_Desire-uninstall.exe


Navigate and manually delete these folders:

C:\PROGRAM FILES\Winad Client
C:\PROGRAM FILES\COMMON FILES\Oem Common
C:\WINDOWS\APPLICATION DATA\Lycos


Reboot your computer now, and re run Panda. Bring back the results.
 

·
Premium Member
Joined
·
14,311 Posts
Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top