Tech Support banner

Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
An unknown toolbar has crept into my system and installed itself on my IE 6.
I can't identify this one and when I ran adaware se 1.06, it found several entries of coolwebsearch. I "removed" this stuff, ran adaware again and it found nothing else, but the searchbar is still on my IE... maybe you can identify it and let me know how i can remove it:


It has locked out my separator so I can't adjust my ie toolbar to reopen my address window which is no longer available.
Clicking "remove toolbar" does nothing. very frustrating.

Thanks in advance for any assistance you may be able to offer.
Mike
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #2 ·
update

Just a quick follow up...
I found an obscure link which helped me remove the "theQuickLink" toolbar:
http://windowsxp.mvps.org/toolbarcop.htm
None of my adware/spyware/virus removal tools could get rid of this PEST.
But I am left with the inabilitly to check mark my "address bar" which is currently unchecked in IE and I cannot access anything but "customize".
Is there another something I need to do/get rid of?
Please help.
Thanks.
Mike

Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 9:14:33 PM, on 9/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\SPYSPOTTER3\SPYSPOTTER.EXE
C:\PROGRAM FILES\SPYSPOTTER3\DEFENDER.EXE
C:\PROGRAM FILES\PRIVACYERASER COMPUTING\FREE INTERNET ERASER\INTERNETERASER.EXE
C:\PROGRAM FILES\ICONOID\ICONOID.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/c/home.htm
O3 - Toolbar: (no name) - -{08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: (no name) - -{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HWIPER.EXE] C:\WINDOWS\SYSTEM\HWIPER.EXE
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRAM FILES\SPYSPOTTER3\SPYSPOTTER.exe -startup
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\PROGRAM FILES\SPYSPOTTER3\Defender.exe -startup
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Free Internet Eraser] C:\PROGRAM FILES\PRIVACYERASER COMPUTING\FREE INTERNET ERASER\INTERNETERASER.EXE /Startup
O4 - Startup: iconoid.lnk = C:\Program Files\Iconoid\iconoid.exe
O12 - Plugin for .cfm: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.177.202,85.255.112.23
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello wontgetlost and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\PROGRAM FILES\SPYSPOTTER3\SPYSPOTTER.EXE
C:\PROGRAM FILES\SPYSPOTTER3\DEFENDER.EXE


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

SPYSPOTTER3 --it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/c/home.htm
O3 - Toolbar: (no name) - -{08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)


CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
-Empty Recycle Bins
-Temporary Internet Files
-Delete Cookies
-Delete Prefetch files
-[X]Scan local drives for temporary files (Please uncheck this option)
-Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Normal Mode.

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #4 ·
update...

Thanks very much for your reply Ried.
I followed your directions. I removed the "HijackThis" entries you specified, I ran Cleanup! And I did the Panda Active Scan.
CW shredder is for the CoolWebSearch toolbar... however, what was on my system was the "TheQuickLink" toolbar which is much more nasty since it takes away your ability to use your address bar and it disables the rest of your IE toolbar too. Even though I've disabled the "TheQuickLink" toolbar, I can't do anything with my IE toolbar:


I reinstalled IE6, and even overwrote the newer files with the older ones.
That didn't work.
I'm thinking there must be a wicked registry entry or a missing/corrupted dll file gumming up the works.
Any ideas on this?
Thanks again in advance for any help you could offer.
Here's the result of the Panda Active Scan:


Incident Status Location

Adware:adware/cws No disinfected C:\WINDOWS\Favorites\Kill Annoying Popups.url
Spyware:spyware/wareout No disinfected C:\WINDOWS\Application Data\wo.tmp
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Spyware:spyware/omi No disinfected Windows Registry
Dialer:Dialer.Gen No disinfected C:\WINDOWS\SYSTEM\Desire-uninstall.exe
Virus:Trj/Agent.AMR Disinfected C:\WINDOWS\SYSTEM\hwiper.exe
Adware:Adware/QuickWeb No disinfected C:\WINDOWS\SYSTEM\hlmicro.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\SYSTEM\etjqn.dll
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\SYSTEM\csrmr.exe
Virus:Bck/Small.B Disinfected C:\WINDOWS\Desktop\My Briefcase\Baddd\servicent.exe
Virus:Bck/Small.B Disinfected C:\WINDOWS\Desktop\My Briefcase\not sure\iserver.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.6\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.2\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.3\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.4\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.5\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1015.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1019.inf
Virus:Eicar.Mod No disinfected C:\WINDOWS\Desktop\Do Next\Cleanup\Other Programs\Pest Patrol\PPatrol\Help.chm[HowCanITestDetection.html]
Virus:Bck/Snart.C Disinfected C:\WINDOWS\flash.exe
Virus:Worm Generic.SD Disinfected C:\WINDOWS\cisco_pix.exe
Adware:Adware/Naupoint No disinfected C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll
Adware:Adware/SaveNow No disinfected C:\Program Files\Bird Hunter\VVSN_ADFS0741Inst.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\the_little_mermaid.exe\TBEZA127Q.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\the_little_mermaid.exe\NNEZTA388.exe
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/SaveNow No disinfected C:\Program Files\Ore No Ryomi 2\VVSN_ADFS0741Inst.exe
Adware:Adware/SaveNow No disinfected C:\Program Files\Martyrdom Dungeon\VVSN_ADFS0741Inst.exe
Virus:Trj/Downloader.AGQ Disinfected C:\Recycled\Q330995.exe
Virus:Trj/Downloader.AEU Disinfected C:\eied_s7.cab
Adware:Adware/MediaTickets No disinfected D:\Programs on D\HiJackThis\backup-20040513-124002-478
Adware:Adware/MediaTickets No disinfected D:\Programs on D\HiJackThis\backup-20040908-135629-606
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Please print out these instructions for reference as you will have to restart your computer during the fix. An internet connection is required as the installer will need to download other files during the fix.

Please download & save on Desktop - KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.177.202,85.255.112.23

Click Fix Checked. Close HijackThis, and click OK to proceed.


Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Select all the filenames below & then right-click & select Copy
  • C:\WINDOWS\Favorites\Kill Annoying Popups.url
    C:\WINDOWS\Application Data\wo.tmp
    C:\WINDOWS\rdt.ini
    C:\PROGRAM FILES\COMMON FILES\Oem Common
    C:\WINDOWS\SYSTEM\Desire-uninstall.exe
    C:\WINDOWS\SYSTEM\hlmicro.exe
    C:\WINDOWS\SYSTEM\etjqn.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.6\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.2\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.3\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.4\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.5\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1015.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1019.dll
    C:\WINDOWS\Desktop\My Briefcase\Delete at next bootup\CONFLICT.1\HDPlugin1019.inf
    C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll
    C:\Program Files\Bird Hunter\VVSN_ADFS0741Inst.exe
    C:\Program Files\Ore No Ryomi 2\VVSN_ADFS0741Inst.exe
    C:\Program Files\Martyrdom Dungeon\VVSN_ADFS0741Inst.exe
    C:\Recycled\Q330995.exe
    C:\eied_s7.cab
* Go to the File menu, and choose Paste from Clipboard
* Click on the dropdown menu next to Full Path of File to Delete field.
* Verify that the filenames you pasted are found there
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
After you have rebooted, locate & delete this folder - C:\Program Files\FileSubmit\

Then, Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #6 ·
I keep trying...

I did the Killbox and the Fixwareout thing.
I did the Kasp scan and here's the results:
(most of the stuff is in the system restore cab files.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, September 18, 2005 20:28:58
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/09/2005
Kaspersky Anti-Virus database records: 140891
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
g:\
h:\

Scan Statistics:
Total number of scanned objects: 110226
Number of viruses found: 12
Number of infected objects: 56
Number of suspicious objects: 0
Duration of the scan process: 12255 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0401828.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\TEMP\A0401829.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\TEMP\A0407797.CPY Infected: Trojan-Downloader.Win32.Delf.vq
c:\_RESTORE\ARCHIVE\FS3932.CAB/A0396429.CPY Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3932.CAB Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3898.CAB/A0393876.CPY Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3898.CAB Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS4016.CAB/A0404694.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS4016.CAB/A0404696.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4016.CAB Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4017.CAB/A0404742.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4017.CAB/A0404743.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS4017.CAB/A0404744.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS4017.CAB/A0404752.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4017.CAB Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS3995.CAB/A0402824.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS3995.CAB/A0402825.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS3995.CAB/A0402860.CPY Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3995.CAB/A0402862.CPY Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3995.CAB/A0402864.CPY Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3995.CAB Infected: Trojan-Downloader.Win32.Delf.ks
c:\_RESTORE\ARCHIVE\FS3993.CAB/A0401709.CPY Infected: Trojan.Win32.DNSChanger.x
c:\_RESTORE\ARCHIVE\FS3993.CAB/A0401712.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS3993.CAB/A0401713.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS3993.CAB/A0401714.CPY Infected: Trojan.Win32.DNSChanger.x
c:\_RESTORE\ARCHIVE\FS3993.CAB/A0401762.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS3993.CAB Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS3996.CAB/A0402879.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS3996.CAB/A0402882.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS3996.CAB Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4015.CAB/A0404668.CPY Infected: Trojan-Dropper.Win32.Vidro.x
c:\_RESTORE\ARCHIVE\FS4015.CAB/A0404669.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4015.CAB Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4021.CAB/A0404820.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4021.CAB Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4019.CAB/A0404789.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4019.CAB Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4025.CAB/A0405228.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4025.CAB/A0405232.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4025.CAB/A0405256.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4025.CAB Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406024.CPY Infected: Trojan.Win32.Small.fr
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406025.CPY Infected: Trojan-Downloader.Win32.Agent.uj
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406026.CPY Infected: Backdoor.Win32.Snart.h
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406027.CPY Infected: Backdoor.Win32.Snart.h
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406028.CPY Infected: Backdoor.Win32.Snart.gen
c:\_RESTORE\ARCHIVE\FS4037.CAB/A0406029.CPY Infected: Backdoor.Win32.Snart.gen
c:\_RESTORE\ARCHIVE\FS4037.CAB Infected: Backdoor.Win32.Snart.gen
c:\_RESTORE\ARCHIVE\FS4038.CAB/A0406030.CPY Infected: Trojan-Downloader.Win32.Agent.ew
c:\_RESTORE\ARCHIVE\FS4038.CAB Infected: Trojan-Downloader.Win32.Agent.ew
c:\WINDOWS\Desktop\Update\LA Forum\fix.txt Infected: Trojan.JS.Cardst
c:\WINDOWS\Desktop\Fixwareout.exe/data0007 Infected: Trojan-Downloader.Win32.Delf.vq
c:\WINDOWS\Desktop\Fixwareout.exe Infected: Trojan-Downloader.Win32.Delf.vq
d:\My Documents\AAE\ebay\Ariel Clips\the_little_mermaid.exe/WISE0015.BIN Infected: Trojan-Dropper.Win32.Small.ff
d:\My Documents\AAE\ebay\Ariel Clips\the_little_mermaid.exe/WISE0023.BIN Infected: Trojan-Downloader.Win32.Wren.d
d:\My Documents\AAE\ebay\Ariel Clips\the_little_mermaid.exe Infected: Trojan-Downloader.Win32.Wren.d

Scan process completed.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Delete these files:

c:\WINDOWS\Desktop\Update\LA Forum\fix.txt
d:\My Documents\AAE\ebay\Ariel Clips\the_little_mermaid.exe



I'm curious.. How did those htings get onto your PC?

Please post a new HJT log after this
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #8 ·
Hjt..

Logfile of HijackThis v1.99.1
Scan saved at 11:11:08 PM, on 9/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\PRIVACYERASER COMPUTING\FREE INTERNET ERASER\INTERNETERASER.EXE
C:\PROGRAM FILES\ICONOID\ICONOID.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FULL TILT POKER\FULLTILTPOKER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/c/home.htm
O3 - Toolbar: (no name) - -{4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Free Internet Eraser] C:\PROGRAM FILES\PRIVACYERASER COMPUTING\FREE INTERNET ERASER\INTERNETERASER.EXE /Startup
O4 - Startup: iconoid.lnk = C:\Program Files\Iconoid\iconoid.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .cfm: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Have Hijackthis fix these:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Post a new log & tell me if you still have other problems.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #10 ·
Okay...

I fixed the items.
My problem still persists in that I have no access to my toolbar other than "customize" :
(And all this started when "TheQuickLink" installed itself onto IE... I've disabled it, but still can't get my address bar to return)

 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You have disabled the "quicklink toolbar. That's why we dont see it in the HijackThis log. We cant fix what we can't see. Please re-enable it & post a new log.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #12 ·
closure...

I'm happy to update this thread with good news...
The most recent definitions for Adaware resolved my problem.
Whatever was diabling my toolbar functionality got corrected. The following are the most likely candidates:

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[16]=RegData : .DEFAULT\software\microsoft\windows\currentversion\policies\explorer "NoBandCustomize"

COULOMB DIALER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[18]=File : c:\WINDOWS\SYSTEM\MACROMED\Shockwave 8\xtras\download\TheGrooveAlliance\3DGrooveXtrav18\Groove.x32

Not sure which one it was, but had to be one of them.
Anyway, I hope someone goes after whoever created "TheQuickLink".. it's a NASTY one.

Thanks for all the support and help here on this forum :sayyes:
 

·
Premium Member
Joined
·
14,311 Posts
It was the first one (regarding the policy - NoBandCustomize) that most likely caused that problem you had.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top